View
2
Download
0
Category
Preview:
Citation preview
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
D11.12: Cyber Data Security
Management Plans
WP11: Project Management
T11.6: Cyber security Management
Authors: Georgios Tsoumanis (CERTH); Panagiotis Tsarchopoulos (CERTH); Dimosthenis
Ioannidis (CERTH)
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
2
Technical references
Project Acronym POCITYF
Project Title A POsitive Energy CITY Transformation Framework
Project Coordinator João Gonçalo Maciel (EDPL)
JoaoGoncalo.Maciel@edp.com
Project Duration 60 months (from October 2019 – to September 2024)
Deliverable No. D11.12: Cyber Data Security Management Plans
Dissemination level* PU
Work Package WP 11: Project Management
Task T11.6: Cyber security Management
Lead beneficiary 38 (CERTH)
Contributing beneficiary/ies 1 (EDPL)
Due date of deliverable 31 March 2020
Actual submission date 30 April 2020
* PU = Public
PP = Restricted to other programme participants (including the Commission Services)
RE = Restricted to a group specified by the consortium (including the Commission Services)
CO = Confidential, only for members of the consortium (including the Commission Services)
In case you want any additional information or you want to consult with the authors of
this document, please send your inquiries to:
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
3
Version History
v Date Beneficiary Author
0.8 21/4/2020 CERTH Georgios Tsoumanis and Panagiotis
Tsarchopoulos
1.0 29/4/2020 CERTH Georgios Tsoumanis and Panagiotis
Tsarchopoulos
Disclaimer
This document reflects only the author's view. Responsibility for the information and views
expressed therein lies entirely with the authors. The Innovation and Networks Executive
Agency (INEA) and the European Commission are not responsible for any use that may be
made of the information it contains.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
4
Executive Summary
Deliverable D11.12 – Cyber Data Security Management Plans – aims to present a framework
to ensure that POCITYF will comply with privacy and security of sensitive information. The
proposed strategies will facilitate the implementation of a layered data protection
framework allowing the project to collect and manipulate big amounts of data. The
framework will be continuously monitored and assessed to ensure privacy and security on
a constant basis. The deliverable is the outcome of task 11.6 Cyber-security Management,
which aims to address the security and privacy part of data management.
D11.12 heavily depends on the available knowledge about the POCITYF’s Innovative
Elements (IE) in the four Energy Transition Tracks (ETTs). For this reason, the creation of
the deliverable follows a sequential process, following the knowledge creation process
regarding POCITYF’s IEs that happen in WP1, WP6 and WP7.
The current, 1st version of the deliverable introduces the concept of cyber-security and
privacy in smart cities. Moreover, it provides an overview of the cyber-security and privacy
issues relevant to POCITYF 4 ETTs. This version uses the information for POCITYF’s IEs that
is already available in the DoA.
The next, 2nd version, which is due to month 24, will identify and document the critical
cyber-security and privacy challenges associated with POCITYF 4 ETTs. Moreover, it will
provide the recommended actions to address the cyber-security and privacy challenges
and to mitigate relevant risks.
The 3rd and final version, which is due to month 48, will present the results of the
monitoring of the implementation of cyber-security and privacy recommendations.
Moreover, it will evaluate the results and provide insights and lessons learnt from the
POCITY project. The primary outcome will be a practical set of the key takeaways for
protecting the cyber-security and privacy in smart city initiatives.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
5
Table of contents
Technical references ...................................................... 2
Executive Summary ........................................................ 4
Table of contents .......................................................... 5
List of Tables ...................................................................................... 7
List of Figures ..................................................................................... 7
Abbreviations and Acronyms (in alphabetical order) ...................................... 8
1 Introduction ........................................................... 10
1.1 Objectives and Scope .................................................................. 10
1.2 Relation to other activities ........................................................... 11
1.3 Structure of the deliverable .......................................................... 11
2 Methodological approach ............................................ 12
2.1 Deliverable preparation process..................................................... 12
2.2 Explosive Growth on Internet of Things (IoT) in Smart Cities.................. 13
2.3 Cyber-security vs. Privacy ............................................................ 14
2.4 Privacy concerns ........................................................................ 15
3 Literature review about cyber-security and privacy in Smart
Cities ....................................................................... 17
3.1 Cyber-security in Smart Cities ....................................................... 17
3.1.1 Surveys .................................................................................. 17
3.1.2 Frameworks – Detection schemes ................................................... 19
3.1.3 Secure transactions .................................................................... 21
3.1.4 Data transfer, storage, and processing ............................................. 23
3.2 Privacy in Smart Cities ................................................................ 25
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
6
4 EU initiatives and regulations for cyber-security and privacy in
Smart Cities ............................................................... 27
4.1 Organizations ............................................................................ 27
4.2 Legislation ............................................................................... 28
4.2.1 General Data Protection Regulation (GDPR) ....................................... 29
4.3 EU funded projects ..................................................................... 31
5 POCITYF’s approach .................................................. 34
5.1 Critical energy infrastructure ........................................................ 35
5.2 Smart buildings ......................................................................... 37
5.3 Transportation .......................................................................... 43
5.4 Smart citizens’ data .................................................................... 46
5.5 Indirect to POCITYF approaches ..................................................... 51
6 Conclusions ............................................................ 53
7 References ............................................................. 54
8 ANNEX I - Standards related to IoT and Smart Cities ........... 64
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
7
List of Tables
Table 1 Population change in 10 world’s largest cities at the end of 2019 .......................... 13
Table 2 Security services and the corresponding threats and attacks ................................ 18
Table 3 Communication Protocols for Smart Buildings ................................................. 39
Table 4 Well-known ITS threats, attacks, and countermeasures. ..................................... 44
Table 5 Standards related to IoT and smart cities ...................................................... 64
List of Figures
Figure 1 Overall process for the execution of task 11.6. ............................................... 12
Figure 2 Connected IoT devices worldwide............................................................... 14
Figure 3 Security standards and recommendations for cyber-security of smart buildings ........ 19
Figure 4 Chatfield and Reddick framework ............................................................... 20
Figure 5 POCITYF’s Energy Transition Tracks ............................................................ 34
Figure 6 Three high-level security objectives for the Smart Grid [72] ............................... 37
Figure 7 Types of security products categorized by good, ............................................. 41
Figure 8 A holistic view of the data lifecycle ............................................................ 50
Figure 9 Trusted Platform Module (TPM) ................................................................. 50
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
8
Abbreviations and Acronyms (in alphabetical order)
Abbreviation Definition
ABE Attribute-Based Encryption
AVs Autonomous Vehicles
BEMS/HEMS/CEMS Building/Home/City Energy Management System
BMS Building Management System
CA Central Authority
CNTL Colluded Non-Technical Loss
CP-ABE Ciphertext Policy Attribute-Based Bncryption
CSIRT Computer Security Incident Response Team
CUSUM Cumulative Sum
DC Direct Current
DHC District Heating Cooling
DoA Description of Action
DoS Denial of Service
DPI Deep packet inspection
DSM Demand Side Management
DSO Distribution System Operator
ECSO The European Cyber Security Organisation
EEA European Economic Area
EE-ISAC European Energy - Information Sharing & Analysis Centre
EFTA European Free Trade Association
ENISA European Union Agency for Cyber-security
ETSI European Telecommunications Standards Institute
ETT Energy Transition Track
EV Electric Vehicle
EU European Union
FC Fellow City
GA Grant Agreement
GDPR General Data Protection Regulation
GPS Global Positioning System
IE Innovative Element
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
9
Abbreviation Definition
IDS Intrusion Detection System
IoT Internet of Things
IS Integrated Solution
ITS Intelligent Transport Systems
LH LightHouse
MAS Multi-Agent Systems
NTL Non-Technical Loss
NZEB Near Zero Energy Building
P2P Peer-to-Peer
PCM Phase Change Material
PEB Positive Energy Building
PED Positive Energy District
PV PhotoVoltaic
RAAC Robust and Auditable Access Control
RES Renewable Energy Source
SE Software Engineering
SoS System-of-Systems
SoSSec Systems-of-Systems Security
SwHE Somewhat Homomorphic Encryption
V2G Vehicle to Grid
V2I Vehicles to Infrastructure
V2V Vehicle to Vehicle
VANETs Vehicular ad hoc networks
VSNs Vehicular Social Networks
VPP Virtual Power Plant
WP Work Package
XML Extensible Markup Language
XMPP Extensible Messaging and Presence Protocol
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
10
1 Introduction
1.1 Objectives and Scope
The current deliverable D11.12 – Cyber Data Security Management Plans – aims to present
a framework to ensure that POCITYF will comply with privacy and security of sensitive
information. The proposed strategies will facilitate the implementation of a layered data
protection framework allowing the project to collect and manipulate big amounts of data.
The framework will be constantly monitored and assessed to ensure privacy and security
on a constant basis. The deliverable is the outcome of task 11.6 Cyber-security
Management, which aims to address the security and privacy part of data management.
The task focuses its efforts on data security management and investigates strategies to
implement a layered data protection framework. It also aims to ensure privacy and
security of sensitive information, for legal or ethical reasons, for issues pertaining to
personal privacy.
D11.12 heavily depends on the available knowledge about the POCITYF’s Innovative
Elements (IE) in the four Energy Transition Tracks (ETTs). For this reason, the creation of
the deliverable will follow an iterative process. This process will be in accordance with
the knowledge creation process regarding POCITYF’s IEs that happen in WP1, WP6 and
WP7.
The current, 1st version of the deliverable introduces the concept of cyber-security and
privacy in smart cities and provides an overview of the cyber-security and privacy issues
relevant to POCITYF 4 ETTs. This version uses the information for POCITYF’s IEs that is
already available in the DoA.
The second version, which is due to month 24, will identify and document the critical
cyber-security and privacy challenges associated with POCITYF 4 ETTs. Moreover, it will
provide the recommended actions to address the cyber-security and privacy challenges
and to mitigate relevant risks.
The 3rd and final version, which is due to month 48, will present the results of the
monitoring of the implementation of cyber-security and privacy recommendations.
Moreover, it will evaluate the results and provide insights and lessons learnt from the
POCITY project. The primary outcome will be a practical set of the key takeaways for
protecting the cyber-security and privacy in smart city initiatives.
The updated versions 2 and 3 of D11.12 will be part of D11.9 Data Management Plan -
version 2 and D11.10 Data Management Plan - version 3, which are due to month 24 and
48, respectively.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
11
1.2 Relation to other activities
T11.6, and subsequently its respective deliverable D11.12, has a relation to many
activities of the POCITYF project. In particular with the activities of WP1 - POCITYF Smart
City Framework Towards an Integrated Deployment, WP2 - Setting Up, Planning and
Execution of Performance Monitoring Activities, WP4 - Citizens Engagement and Open
Innovation Activities, WP6 Evora Lighthouse City demonstration activities, WP7 Alkmaar
Lighthouse City demonstration activities, WP8 Replication Plans and 2050 Vision by Fellow
Cities, and WP9 Clustering and Coordination with Smart City Initiatives and Partnerships.
1.3 Structure of the deliverable
Chapter 2 presents the methodological approach followed for the preparation of the
deliverable. Moreover, it introduces the concepts of cyber-security and privacy in
smart cities.
Chapter 3 contains a literature review about cyber-security and privacy in Smart Cities,
initially categorized in (i) Cyber-security in Smart Cities; and (ii) Privacy in Smart Cities,
while a further categorization applied to each respective subsection. The literature review
is based on published scientific papers and outcomes of research projects related to
security and privacy are studied.
Chapter 4 outlines the key initiatives and regulations in the European Union (EU) for
cyber-security and privacy in Smart Cities.
Chapter 5 provides an overview of the cyber-security and privacy issues relevant to
POCITYF 4 ETTs.
Chapter 6 contains the conclusions.
Chapter 7 contains the references to the scientific articles used in the deliverable.
Chapter 8 contains annexes.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
12
2 Methodological approach
2.1 Deliverable preparation process
The creation of D11.12 will follow a sequential process, as it heavily depends on the
available knowledge about the POCITYF’s Innovative Elements (IE) in the four Energy
Transition Tracks (ETTs). Thus, the first version of the deliverable, submitted in month 6,
will introduce the concept of cyber-security and privacy in smart cities and will provide
an overview of the cyber-security and privacy issues relevant to POCITYF 4 ETTs. This
version uses information that is already available in the DoA about the projects IEs.
The second version, delivered in month 24, will use the information about IEs that will be
collected in WP 1, WP 6 and WP 7 deliverables (i.e. City Vision and Master Plan for ETT#1,
2, 3 and 4 Solutions, Updating Evora's Vision and Master Planning, and Updating Alkmaar’s
Vision and Master Planning). Based on a more advanced body of knowledge about the
POCITYF’s solutions, it will identify and document the critical cyber-security and privacy
challenges associated with POCITYF 4 ETTs. Moreover, the 2nd version of D11.12 will
provide the recommended actions to address the cyber-security and privacy challenges
and to mitigate relevant risks.
The final version, submitted in month 48, will present the results of the monitoring of the
implementation of cyber-security and privacy recommendations. Moreover, it will
evaluate the results and provide insights and lessons learnt from the POCITY project. The
primary outcome will be a practical set of the key takeaways for protecting the cyber-
security and privacy in smart city initiatives. Figure 1 presents the overall process for the
execution of task 11.6.
Figure 1 Overall process for the execution of task 11.6.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
13
2.2 Explosive Growth on Internet of Things (IoT) in Smart Cities
In the 16-01-2020 Business Insider’s article titled “How smart city technology & the
Internet of Things will change our apartments, grids and communities” [1], it is mentioned
that over the past years, people continue to flock to large cities for several reasons, such
as employment opportunities, lifestyle, and more. In the same article, the growth of the
20 largest cities in the USA is presented, showing that most of these cities (i.e., all but
one) experienced population growth during 2019. In Table 1 [2], the 1-year (2019)
population change in the ten most inhabited cities in the world is given, showing that 8
out of 10 of these cities were even larger by the end of 2019.
Table 1 Population change in 10 world’s largest cities at the end of 2019
Rank Name 2020
Population
2019
Population Change
1 Tokyo 37,393,129 37,435,191 -0.11%
2 Delhi 30,290,936 29,399,141 3.03%
3 Shanghai 27,058,479 26,317,104 2.82%
4 Sao Paulo 22,043,028 21,846,507 0.90%
5 Mexico City 21,782,378 21,671,908 0.51%
6 Dhaka 21,005,860 20,283,552 3.56%
7 Cairo 20,900,604 20,484,965 2.03%
8 Beijing 20,462,610 20,035,455 2.13%
9 Mumbai 20,411,274 20,185,064 1.12%
10 Osaka 19,165,340 19,222,665 -0.30%
In order to follow the same rate as the surging population, cities need to become more
efficient, the latter goal to be approached in many cases by turning the cities into Smart
Cities. Smart Cities exploit Internet of Things (IoT) devices (e.g., connected sensors,
lights, meters, etc.) to collect and analyse data to use them in order to improve
infrastructure, public utilities, services, and more. IoT, being the backbone of Smart
Cities, mainly refers to the interconnection and exchange of data among IoT devices.
Currently, with the explosive growth the IoT technologies have met [3], an increasing
number of practical applications can be found in many different fields, such as security,
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
14
asset tracking, agriculture, smart metering, smart homes, and smart cities [4]. As for the
IoT devices, the total installed, connected devices are expected to reach 75.44 billion
worldwide by 2025 (Figure 2) [5].
Figure 2 Connected IoT devices worldwide
In this sense and given the rapid growth of technology involved in the Smart City concept,
it is vital to identify and implement security controls for their fluent operation. Smart City
(cyber)security and privacy are essential to be considered for a city to incorporate Smart
City’s technologies; thus, improving its citizens’ living conditions.
2.3 Cyber-security vs. Privacy
In the next sections, a literature review about cyber-security and privacy in Smart Cities
is given, among others. Before that, it is worth mentioning that different works have
provided the readers with different approaches on how cyber-security is differentiated
from privacy. In this deliverable, the authors will follow the terms given in [6] for both
cyber-security and privacy. More specifically:
- Cyber-security will refer to the measures taken in order to protect a device (e.g.,
computer, computer system, IoT device, etc.) against unauthorized access. A
robust cyber-security policy protects and secures critical and sensitive data and
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
15
prevents malicious third parties from acquiring or destroying them. The most
common forms of cyber-attacks are (i) phishing; (ii) Spear-phishing; and (iii)
injecting malware code into a computer system.
- Privacy will refer to the type of “information security that deals with the proper
handling of data concerning consent, notice, sensitivity, and regulatory concerns”
[7]. On its basic level, data privacy’s goal is about consumers’ understanding of
their rights on how their personal information is collected, stored, used, and
shared. The exploit of personal information must be explained to consumers simply
and transparently. In most cases, consumers are asked to give their consent before
their personal information is used.
2.4 Privacy concerns
Privacy in any technology is mainly connected to the rights of citizens that must be
guaranteed anywhere and anytime. Privacy breaches in Smart Cities services can be an
issue for users that are not familiar with security issues (especially adolescents and the
elderly). As a result, they can be perfect targets for attackers who take advantage of their
interaction with many services through their smartphones, tablets, and computers,
revealing personal data such as gender, age, and location.
In order for the Smart Cities to become “accepted” by the public opinion, it is necessary
to acknowledge people's concerns about their privacy in the development of smart cities;
thus, maintaining their support and participation [8]. Regarding the general term of
privacy, it is interesting to mention that the theoretical research about it is diverse and
contradictory [9]. For example, Yuan Li, in his work “Theories in online information
privacy research: A critical review and an integrated framework” [10] back in 2012,
identified 15 different theories of privacy in online contexts. Besides, and with the advent
of social media, two paradoxes are identified by the privacy research. The first paradox
lies in people’s lacking appropriate secure and private behaviour, despite their expressing
concerns about their privacy. Interestingly, the most popular password in 2019 was
1234561 , and many people use a single password for multiple accounts [11]. This paradox,
known as the “privacy paradox” [12], is further enhanced by the fact that individuals
share their personal information on numerous social media sites (e.g., Facebook, Twitter,
etc.). At the same time, they do not feel secure about doing so. The second paradox is
the “control paradox,” which describes how the feeling of being in control over-delivering
1 Keck, Catie. “It's Time to Nervously Mock the 50 Worst Passwords of the Year.” Gizmodo, Gizmodo, 19
Dec. 2019, gizmodo.com/its-time-to-nervously-mock-the-50-worst-passwords-of-th-1840514905.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
16
or registering one's data leads to less concern about how one's data are later used by other
parties [13].
For further enhancing the significance of privacy challenges in smart cities, an example is
given in the sequel as used in [14]:
“A vehicle’s license plate can be connected to the vehicle owner’s identity. Hence, the
trajectory of a vehicle can easily be traced even if all communications between the
vehicle and infrastructure are encrypted and each device is authenticated by others. This
is against the common notion of privacy, which includes the right of people to lead their
lives in a manner that is reasonably secluded from public scrutiny, whether such scrutiny
comes from a neighbour’s prying eyes, an investigator’s eavesdropping ears, or a news
photographer’s intrusive camera. In a smart city, future vehicles will have various
communication capabilities that include Internet access, GPS, an electronic tolling
system, and RFID. Connected devices in a vehicle will store lots of personal information
and have various communication capabilities. In a smart city, the number of connected
devices will be very high. The data collected by IoT will allow data consumers to
understand the behaviours of data owners or use the data to derive highly personal
information, including daily habits”.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
17
3 Literature review about cyber-security and privacy in Smart Cities
In this section, a literature review is given, initially categorized in (i) Cyber-security in
Smart Cities; and (ii) Privacy in Smart Cities, while a further categorization will be applied
to each respective subsection. Note that in some papers or projects, both security and
privacy are studied. In such cases, information regarding privacy will be given in the
security’s section and vice-versa.
3.1 Cyber-security in Smart Cities
Smart city services can extend into many diverse domains, such as environment,
transportation, health, tourism, home energy management, safety, security, etc. [15]. In
order to better present the past works related to cyber-security in Smart Cities, a
categorization of them will be employed here. More specifically, the presented works are
categorized as follows:
- Surveys (for works published until 2016)
- Frameworks – Detection Schemes
- Secure Transactions
- Data transfer, storage, and processing
3.1.1 Surveys
For works published until 2016, several papers survey many techniques for cyber-security
of Smart Cities, while some of them are dedicated to a specific Smart City part.
He and Yan surveyed Cyber-physical attacks regarding smart grids in their work “Cyber-
physical attacks and defences in the smart grid: a survey” [16]. In the same year, Yan et
al. have published “Detection of False Data Attacks in Smart Grid with Supervised
Learning” [17], a comparative study on the utilization of supervised learning classifiers
for the detection of direct and stealth false data injection (FDI) attacks in smart grids.
Jow et al. surveyed intrusion detection systems during that period in their review paper
“A survey of intrusion detection systems in smart grid” [18]. Standards in smart grid
security are surveyed in “Smart grid security--an overview of standards and guidelines”
[19] by Ruland et al.
Lu et al. survey the security, trust, and privacy advances in vehicular ad hoc networks
(VANETs) in their work “A Survey on Recent Advances in Vehicular Network Security, Trust,
and Privacy” [20], stating that in order to share the critical driving information in ITS
systems, VANETs are established with two types of communication: (i) vehicle-to-vehicle
(V2V), and (ii) vehicles-to-infrastructure (V2I). To the authors’ view, the core security
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
18
problem in VANETs is how to make the V2V and V2I communication channels secure.
Regarding the security in each VANET’s service, the threats are categorized as shown in
Table 2 [20].
Table 2 Security services and the corresponding threats and attacks
Security Service Threats & Attacks
Availability Denial of Service (DoS) attack
Jamming attack
Malware attack
Broadcast Tampering Attack
Black Hole and Gray Hole Attack
Greedy Behavior Attack
Spamming Attack
Confidentiality Eavesdropping Attack
Traffic Analysis Attack
Authenticity Sybil Attack
Tunneling Attack
GPS Spoofing
Free-Riding Attack
Integrity Message Suppression/Fabrication/Alteration Attack
Masquerading Attack
Replay Attack
Non-Repudiation Repudiation Attack
Khatoun et al. have recommended the security standards for cyber-security of smart
buildings, as shown in Figure 3 [14].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
19
Figure 3 Security standards and recommendations for cyber-security of smart buildings
3.1.2 Frameworks – Detection schemes
Li and Liao in their 2016 work “An economic alternative to improve cyber-security of e-
government and smart cities” [21] extended in their 2018 work “Economic solutions to
improve cyber-security of governments and smart cities via vulnerability markets” [22]
explored alternative economic solutions ranging from incentive mechanisms to market-
based solutions to motivate smart city product vendors, governments, and vulnerability
researchers and finders to improve the cyber-security of smart cities. First, the authors
model the life cycle of smart city vulnerabilities by considering the role of government,
smart product vendors, internal vs. external vulnerability finders, and offensive vs.
defensive vulnerability buyers, as well as the likelihood of malicious cyber-attacks on
smart cities and e-government. The model defined is analyzed in a four-party game
theoretical framework. Then, two alternative economic solutions are proposed based on
the modelling analysis of economic incentives. The first solution they propose is a carrot-
and-stick-like strategy, in the sense that the government either rewards vendors for
security investment by paying for their products or “punishes” them financially for
vulnerability exploitation. The second solution is about encouraging vendors and
governments to participate in the vulnerability market and compete with malicious
attackers to purchase vulnerabilities for defensive purposes.
Chatfield and Reddick in “A framework for Internet of Things-enabled smart government:
A case of IoT cyber-security policies and use cases in U.S. federal government” [23]
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
20
developed a framework for IoT-enabled smart government performance. The latter
framework, depicted in Figure 4, is applied to conduct case study analyses of digital
technology and IoT cyber-security in major application domains at the U.S. federal
government level. The results showed that some agencies were strategic and forward-
thinking in funding and partnering with sub-national governments in promoting IoT use.
On the other hand, as shown in the paper, a critical need for national IoT policies to
promote systemic IoT use across the application domains remains yet.
Figure 4 Chatfield and Reddick framework
A recently discovered Non-Technical Loss (NTL), called Colluded Non-Technical Loss
(CNTL), is studied in “A novel detector to detect colluded non-technical loss frauds in
smart grid” [24] by Han and Xiao. As stated there, “existing detection schemes cannot
detect CNTL frauds since these methods do not consider the co-existing or collaborating
fraudsters, and therefore cannot distinguish one from many fraudsters.” In this sense, the
authors proposed a CNTL fraud detector for detecting CNTL frauds. The proposed
method’s goal is the quick detection of a tampered meter, based on recursive least
squares. After identifying the tampered meter, the proposed scheme can detect different
fraudsters using mathematical models.
Attia et al., in “An efficient Intrusion Detection System against cyber-physical attacks in
the smart grid,” [25] proposed an Intrusion Detection System (IDS) architecture to detect
lethal attacks, focusing on two smart grid security issues: (i). Against integrity issue with
price manipulation attack, a Cumulative Sum (CUSUM) algorithm is proposed to detect this
attack even with granular price changes; and (ii). The availability issue with Denial of
Service (DoS) attack against which an efficient method to monitor and detect any
misbehaving node was proposed there.
Nangrani and Bhat, in their paper “Smart grid security assessment using intelligent
technique based on novel chaotic performance index” [26] proposed an intelligent
technique that uses interleaving technique. More specifically, the authors of this paper
suggest an intelligent monitoring technique for smart grid security assessment using an
interleaved index. The latter includes Lyapunov Exponent based monitoring of
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
21
uncontrolled growth of power flow in conjunction with a general index of overload on the
grid.
Christos Tsigkanos et al. in their 2018 paper “On the Interplay Between Cyber and Physical
Spaces for Adaptive Security” [27], they proposed the use of Bigraphical Reactive Systems
in order to model the topology of cyber and physical spaces and their dynamics. Then,
they use these models to perform speculative threat analysis and propose an automatic
planning technique to identify an adaptation strategy enacting security policy at runtime
to prevent, circumvent, or mitigate possible security requirements violations.
Alrimawi et al., in their recent (08/2019) work “On the Automated Management of
Security Incidents in Smart Spaces” [28] have developed a reporting of incidents approach
in smart spaces (e.g., smart buildings) which supports sharing and visualization of incident
instantiations in different smart buildings. Moreover, they provided filters to prioritize
incidents depending on their number of actions or the components of the smart space that
they involve.
Hachem et al. in their 2020 paper “Modelling, Analysing and Predicting Security Cascading
Attacks in Smart Buildings Systems-of-Systems” [29], aim at investigating if Software
Engineering (SE) can be the basis for modelling and analysing secure System-of-Systems
(SoS) solutions against high impact (cascading) attacks at the architecture stage. The
proposed model, called Systems-of-Systems Security (SoSSec), consists of SoSSecML
language for SoS modeling and Multi-Agent Systems (MAS) for security analysis of SoS
architectures. Moreover, a case study was conducted there on a real smart building,
showing that their method can discover cascading attacks that consist of many individual
attacks (e.g., Denial of Service.)
3.1.3 Secure transactions
Kishimoto et al. have proposed SPaCIS, a protocol for secure payments in smart grids. In
“SPaCIS: Secure Payment Protocol for Charging Information over Smart Grid” [30]. SPaCIS
provides the consumer with the ability to validate the charging information.
As mentioned in [31], the adoption of Computer Security Incident Response Teams
(CSIRTs) is necessary for the proper management of security incidents in Smart Grids. In
the same paper, the authors propose an incident classification to assist CSIRT’s
implementation for Smart Grids, considering the specific concerns of the different
response teams that handle incidents.
Blockchain technology, firstly introduced for exchanging digital currency, has found
security and privacy applications in many other areas, such as IoT [32], smart home [33],
and smart city [34]. In “A framework of blockchain-based secure and privacy-preserving
E-government system” [35] Elisa et al. propose a blockchain system dedicated to e-
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
22
government. More specifically, a framework of a decentralized e-government peer-to-
peer (P2P) system enabling the communication between e-government and users’ devices
is proposed there, based on the blockchain technology. During a new device (either e-
government or user-owned) joining the system, the existing peers of the network decide
to approve or disapprove the registration of the new device. If the registration is
approved, one of the pre-existed peers is elected to set up the new network “node” and
assign it a “blockchain wallet.” A prototype of the system mentioned above is presented.
Then, it is followed by the theoretical and qualitative analysis of the security and privacy
implications of such a system. In the same spirit, Yang et al. in “Privacy and Security
Aspects of E-government in Smart Cities” [36] propose a similar to [35] peer-to-peer
system is proposed based on blockchain technology. In addition, a useful summary of the
technologies and techniques used for secure e-Government systems is presented there
and goes as follows: (i). Blockchain; (ii). Artificial intelligence and machine learning; (iii).
Biometric security and surveillance; (iv). Patching security vulnerabilities; (v). Deep
packet inspection (DPI); (vi). Enhanced connected device security; and (vii). Mutual
authentication.
Mylrea and Gourisetti, in their work “Blockchain for Smart Grid Resilience: Exchanging
Distributed Energy at Speed, Scale and Security” [37] in 2017, outlines how to apply
blockchain-based smart contracts to increase speed, scale and security of exchanges of
distributed energy resources. In addition, they propose two existing testbeds to simulate
the power grid’s complex system: (i). the PNNL’s B2G testbed; and (ii). the integrated
Transactive Campus. The latter provides a unique combination of live telemetry and real-
time data to simulate the power grid and improve the state of the art of blockchain
security technology to create a more resilient grid. Blockchain in smart grids has also been
the case for Musleh et al. in their more recent review article “Blockchain Applications in
Smart Grid - Review and Frameworks” [38]. The authors there, state that power grids are
starting a very effective utilization of blockchain technology while the technique is not
yet mature enough. They also categorize the reviewed works in three categories: (i).
Energy trading; (ii). Electric Vehicles; and (iii). Microgrid operations.
Li et al., in their work “Consortium Blockchain for Secure Energy Trading in Industrial
Internet of Things,” [39] observed the typical energy trading scenarios in Industrial IoT
(IIoT). They established a unified energy blockchain with moderate cost. In addition, to
reduce the limitation of transaction confirmation delays, they designed a credit-based
payment scheme to support frequent energy trading enabling fast payment. Finally, for
the credit-based payment scheme, they proposed an optimal pricing strategy using
Stackelberg game [40] for credit-based loans to maximize the utility of the credit bank.
Biswas et al. in “A Scalable Blockchain Framework for Secure Transactions in IoT,” [41]
proposed a solution to address the generation of transactions at a rate in which current
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
23
blockchain solutions cannot handle and the impossibility of implementing Blockchain peers
onto IoT devices due to resource constraints. The proposed solution uses a local peer
network to bridge the gap. It restricts the number of transactions which enters the global
Blockchain by implementing a scalable local ledger, without compromising on the peer
validation of transactions at a local and global level.
3.1.4 Data transfer, storage, and processing
Storing data in servers through cloud computing has been proposed by many researchers
as a feasible solution for e-health. On the other hand, cloud computing involves potential
threats to security and protection of healthcare data [42], such as threats arising by Denial
of Service (DoS) attacks, cloud malware injection attack, man-in-the-middle
cryptographic attack, spoofing, collusions attack [43]. As a result, the research about
security and privacy for e-health focuses most on cloud computing security and privacy
techniques that fit in the e-health perspective. One such technique and its modifications
is the Homomorphic encryption [44] where modifications of the encrypted data take place
without decrypting it. One version of this technique, the Somewhat Homomorphic
Encryption (SwHE) technique, has been successfully proven in medical and financial
applications [45].
Zhu et al., in their work “An Efficient and Privacy-Preserving Biometric Identification
Scheme in Cloud Computing” [46] examine the biometric identification scheme [47]
revealing its security weakness under a proposed level-3 attack. More specifically, they
show there that an attacker can recover the secret keys by colluding with the cloud; thus,
decrypting the biometric traits of all users. For tackling the above problem, a new
biometric identification scheme in this work with the goal to ensure security is proposed,
based on a new encryption algorithm proposed there and cloud authentication
certification.
Xue et al. presented robust and Auditable Access Control (RAAC) in “RAAC: Robust and
Auditable Access Control with Multiple Attribute Authorities for Public Cloud Storage”
[48]. The authors there propose secure access control that counters the single-point
performance bottleneck-k problem. In order to achieve its goals, trust between RAAC and
Central Authority (CA) is necessary for key generation and distribution. On the other hand,
a deniable Attribute-Based Encryption (ABE) scheme for cloud storage services is studied
by Chi and Lei in “Audit-Free Cloud Storage via Deniable Attribute-Based Encryption” [49].
In this paper, ABE characteristics are used for creating a scheme that enhances Waters's
ciphertext policy attribute-based encryption (CP-ABE) scheme [50]. In the same sense,
Huang et al., in their work “Efficient Anonymous Attribute-Based Encryption with Access
Policy Hidden for Cloud Computing,” [51] proposed an anonymous attribute-based
encryption scheme for cloud data so as to enhance privacy protection of ABE schemes. In
addition, performance in terms of storage, communication, and computational overheads
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
24
is also aimed under the latter paper while satisfying constant secret key length and
reasonable size of ciphertext requirements. ABE is also the key point by Li et al. in the
scheme they proposed in their paper “Unified Fine-Grained Access Control for Personal
Health Records in Cloud Computing” [52]. First, the scheme generates shared information
by the common access sub-policy, which is based on different patients’ access policies.
Then, after combining the encryption of PHRs from different patients, the aim is to reduce
both time consumption of encryption and decryption.
A disease prediction scheme, called PPDP, is proposed in “PPDP: An efficient and privacy-
preserving disease prediction scheme in the cloud-based e-Healthcare system” [53]. In
this work, Zhang et al. proposed the scheme mentioned above (i.e., PPDP scheme), which
is characterized by employing random vectors and matrices, thus enabling the outsourced
EHRs with the ability to be handled and trained on the cloud server by using SLP algorithm
without leaking sensitive information.
Kim and Kim thoroughly discuss the benefits of adopting a cloud computing approach for
Smart Grids security in their review paper “Benefits of cloud computing adoption for smart
grid security from a security perspective” [54].
Security Data Transmission for ITS in Mobile Heterogeneous Cloud Computing systems is
the case of Gai et al. paper “SA-EAST: Security-Aware Efficient Data Transmission for ITS
in Mobile Heterogeneous Cloud Computing” [55]. The authors in the latter work propose
a mobile heterogeneous cloud implementation using dynamic task assignments to achieve
high performance and secure wireless transmissions in ITS. The approach is based on
mapping cloud resources that can be implemented in other systems for security-aware
efficient solutions and a deployment is presented that can be employed for securing
ubiquitous CPS by using mobile heterogeneous cloud computing.
Wu et al., in their paper “Establishing an Intelligent Transportation System With a Network
Security Mechanism in an Internet of Vehicle Environment” [56] proposed an integration
of ITS in traffic signal control to aid emergency vehicles in more promptly arriving at their
destinations. For tackling traffic incidents, regular vehicles are enabled with the ability
to obtain proof of incident from pertaining authorities, learn about nearby vehicles global
positioning system information (e.g., position and speed), and utilize their car camcorder
data for proving purposes. To achieve their goals, the authors propose filtered information
transmissions by roadside units with traffic signal control towards the certificate
authority.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
25
3.2 Privacy in Smart Cities
As in an information system, so in Smart Cities, there are three main operations: data
transfer, storage, and processing. Privacy concerns can occur during any of these
operations, which can affect the user’s behavior [14].
Driven by a Privacy Compliance Assessment derived from the European Union’s General
Data Protection Regulation (GDPR), Anisetti et al. in their work “Privacy-aware Big Data
Analytics as a Service for Public Health Policies in Smart Cities” proposed a new Big Data-
assisted public policy in order to turn the implementation progress into “privacy-by-
design.” The proposed approach is based on a Big Data Analytics as a Service approach,
which is discussed in the context of a public health policymaking process.
Shen et al., in their 2018 paper “Privacy-Preserving Support Vector Machine Training over
Blockchain-Based Encrypted IoT Data in Smart Cities,” [57] proposed a privacy-preserving
SVM training scheme over blockchain-based encrypted IoT data. By utilizing the blockchain
techniques, the authors build a data-sharing platform among multiple data providers,
where IoT data is encrypted and then recorded on a distributed ledger. In addition, they
construct an SVM training algorithm, tat only requires two interactions in a single
iteration, without the need for a third-party.
Lim and Taeihagh in their 2018 study “Autonomous Vehicles for Smart and Sustainable
Cities: An In-Depth Exploration of Privacy and Cyber-security Implications” [58]
highlighted the literature supporting the need for enabling the Smart Cities with the
ability to use Autonomous Vehicles (AVs) for their citizens’ transportation. Then, they
identified the most significant aspects of privacy and cyber-security in AVs. Regarding
privacy in AVs, it is stated there that in many cases (e.g., efficient traffic management,
accurate assignment of liability in the event of collisions, etc.), AVs have to store highly
sensitive data and transmit them to other vehicles, connected infrastructure, or third-
party organizations through external V2V and V2I communication networks. As a result,
unrestricted sharing of data may occur, the latter raising privacy concerns.
Privacy in Vehicular Social Networks (VSNs) (i.e., mobile communication systems formed
by the combination of relevant concepts and features from the vehicular ad-hoc networks
and social networks [59]) is discussed in Yu et al. paper “MixGroup: Accumulative
Pseudonym Exchanging for Location Privacy Enhancement in Vehicular Social Networks”
[60]. For enhancing the location privacy, the authors in this work proposed the “MixGroup”
scheme. MixGroup scheme integrates the mechanism of group signature and constructs an
extended pseudonym-changing region. Doing so and by accumulatively exchanging
pseudonyms, vehicles will have their pseudonym entropy consecutively increased. As a
result, location privacy was substantially enhanced.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
26
Wang et al. in “TCSLP: A trace cost based source location privacy protection scheme in
WSNs for smart cities” [61] proposed that privacy can be protected by creating several
phantom source nodes. These nodes are placed near the real source node (i.e., the node
that transmits packets towards the sink node). This technique limits the ability of an
adversary to find the real source node.
Beltran et al., in their 2017 paper “An ARM-Compliant Architecture for User Privacy in
Smart Cities: SMARTIE — Quality by Design in the IoT,” proposed the “SMARTIE”
architecture. Except for being the architecture’s name, SMARTIE is also the acronym of
the EU-funded project, under which the architecture was funded and developed, titled
“Secure and sMArter ciTIes data management”2. SMARTIE architecture is based on IoT-
ARM for securing and preserving privacy during the dissemination of data in Smart Cities.
Alabdulatif et al. propose a cloud-based model for providing a privacy preserving anomaly
detection service for decision-making in Smart Cities in “Privacy-preserving anomaly
detection in the cloud for quality assured decision-making in smart cities” [62]. The
authors there employ homomorphic encryption in order to preserve data privacy. In
addition, for countering computational overheads associated with homomorphic
encryption, they utilize MapReduce based distribution of tasks and parallelization.
An interesting aspect of privacy in electricity consumption was studied by Alamaniotis et
al. and given in “Enhancing privacy of electricity consumption in smart cities through the
morphing of anticipated demand pattern utilizing self-elasticity and genetic algorithms”
[63]. In this paper, a method for enhancing consumer privacy in smart cities is proposed
under an intelligent aggregation of anticipated demand patterns of multiple consumers as
a means to hide individual features. The proposed method makes use of consumers' self-
elasticities matrices and a genetic algorithm to create an aggregated pattern that masks
individual consumption data.
For privacy in a Vehicle-to-Grid (V2G) network, Han and Xiao in their work “IP2DM:
integrated privacy-preserving data management architecture for smart grid V2G
networks” [64] studied the data management of V2G networks in smart grids with privacy-
preservation. The goal here was to benefit both the customers (because of privacy
preservation) and the utility companies. Both data aggregation and data publication of
V2G networks are aimed to be protected under the proposed architecture. To check the
architecture’s security, it is analyzed in several typical V2G networks attacks, and
experiments are conducted on it.
2 CORDIS | European Commission. (2020). Retrieved 9 March 2020, from
https://cordis.europa.eu/project/id/609062
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
27
4 EU initiatives and regulations for cyber-security and privacy in Smart Cities
4.1 Organizations
In Europe, ERTICO - ITS Europe [65] is an Intelligent Transportation System (ITS)
organization that promotes relevant research and defines ITS industry standards. More
specifically, ERTICO – ITS is a network of stakeholders in Europe, connecting public
authorities, industry, infrastructure operators, users, national ITS associations, and other
organizations. Regarding the United States, each state has its own ITS chapter that holds
a yearly conference to promote and showcase ITS technologies and ideas. Representatives
from each Department of Transportation (state, cities, towns, and counties) within the
state attend this conference.
Over the past years, ITS technologies and services have been the case for many research
communities and standardization organizations, such as IEEE, the European
Telecommunications Standards Institute (ETSI), the Car2Car Communication Consortium,
and the U.S. National Highway Traffic Safety Administration (NHTSA). During Horizon
2020, the most significant EU Research and Innovation programme3, ITS has been the main
or one of the main subjects of research in 103 projects in “Transport & Mobility” domain
of application4.
The European Union Agency for Cyber-security (ENISA)5 has been working to make Europe
cyber-secure since 2004. The Agency is located in Athens, Greece and has a second office
in Heraklion, Greece. The Agency, in cooperation with the Member States and private
sector, delivers advice and solutions as well as improvements for their capabilities. This
support includes the pan-European Cyber-security Exercises, the development, and
evaluation of National Cyber-security Strategies, CSIRTs cooperation and capacity
building, studies on IoT and smart infrastructures, addressing data protection issues,
3 Kugleta. (2017, March 15). What is Horizon 2020? Retrieved from
https://ec.europa.eu/programmes/horizon2020/en/what-horizon-2020
4 CORDIS | European Commission. (2020). Retrieved 8 March 2020, from
https://cordis.europa.eu/search/en?q=contenttype%3D%27project%27%20AND%20(programme%2Fcode%3D
%27H2020%27)%20AND%20applicationDomain%2Fcode%3D%27trans%27%20AND%20(%27Intelligent%27%20AND
%20%27transportation%27%20AND%20%27technologies%27)&p=1&num=10&srt=Relevance:decreasing
5 Enisa.europa.eu. 2020. ENISA. [online] Available at: <https://www.enisa.europa.eu/> [Accessed 2 April
2020].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
28
privacy-enhancing technologies and privacy on emerging technologies, eIDs and trust
services, identifying the cyber threat landscape, and others.
The European Cyber Security Organisation (ECSO)6 is an entirely self-financed non-profit
organization under the Belgian law, established in June 2016. ECSO represents the
contractual counterpart to the European Commission for the implementation of the Cyber
Security contractual Public-Private Partnership (cPPP). ECSO members include a wide
variety of stakeholders such as large companies, SMEs and Start-ups, research centers,
universities, end-users, operators, clusters and association as well as European Member
State’s local, regional and national administrations, countries part of the European
Economic Area (EEA) and the European Free Trade Association (EFTA) and H2020
associated countries.
The European Energy - Information Sharing & Analysis Centre (EE-ISAC)7 is an information-
sharing network of trust driven by the industry. Private utilities and solution providers, as
well as (semi)public institutions such as academia, governmental and non-profit
organizations, will share knowledge and information by monitoring the cyber-security
situation within the energy sector.
4.2 Legislation
In 2013, the European Commission (EC) adopted the Directive (2013/40/EU) on attacks on
information systems, which aims to prevent large-scale cyber-attacks by requesting from
EU countries to update their national cybercrime laws and adopt harsher criminal
penalties.
In 2016, the EC proposed the first piece of cyber-security legislation, the EU Network and
Information Security (NIS) Directive (EU2016/1148). This Directive has three parts: a) the
supervision of cyber-security of critical infrastructure in sectors such as energy, health or
transport sector by each EU Member State, b) each EU country should have its national
cyber-security capabilities, such as a Computer Security Incident Response Team (CSIRT)
and c) ensure cross-border cooperation among EU countries.
6 ECSO - European Cyber Security Organisation. 2020. ECSO - European Cyber Security Organisation.
[online] Available at: <https://ecs-org.eu/> [Accessed 2 April 2020].
7 EE-ISAC - European Energy - Information Sharing & Analysis Centre. 2020. Home - EE-ISAC - European
Energy - Information Sharing & Analysis Centre. [online] Available at: <https://www.ee-isac.eu/>
[Accessed 2 April 2020].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
29
In 2017, the EC introduces the EU Cyber-security Act, which remodels and expands ENISA’s
capabilities and creates an EU-wide certification framework in cyber-security.
In 2019, the EC adopted the recast of the Electricity Regulation (EU) 2019/943, which
gives the EC a mandate to create a cybersecurity network code for the electricity sector
in order to increase its reliability and protect the grid.
4.2.1 General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 of the European Parliament and the Council, the European
Union’s ('EU') new General Data Protection Regulation (GDPR), regulates the processing
by an individual, a company or an organization of personal data relating to individuals in
the EU. It does not apply to the processing of personal data of deceased persons or legal
persons. The rules do not apply to data processed by an individual for purely personal
reasons or activities carried out in one's home, provided there is no connection to a
professional or commercial activity. When an individual uses personal data outside the
personal sphere, for socio-cultural or financial activities, for example, then the data
protection law has to be respected8.
The way GDPR can affect smart cities’ development has been discussed lately. The answer
in this question can be given by applying parts of the new regulation that seem to play an
important role [66].
In Article 4 of GDPR, the term “personal data” is given: “personal data” means any
information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.
In Article 5 of the Regulation, personal data are described as: “adequate, relevant and
limited to what is necessary in relation to the purposes for which they are processed”,
also “kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data may
be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes”. “Decoding” the above GDPR article’s parts, collecting personal data
for the development of Smart Cities has to be precisely pre-defined and follow the legal
8 What does the General Data Protection Regulation (GDPR) govern? (2019, November 27). Retrieved from
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-
regulation-gdpr-govern_en
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
30
rules. Moreover, special attention is paid in the way the data are kept, the duration of
keeping them not exceeding the necessary period. On the other hand, anonymous data
are supposed to be used (and kept) for statistics and for other reasons, e.g., the
production of a traffic model.
In Article 6 of GDPR it is determined that personal data processing is legitimate if certain
conditions are met: "processing is necessary for the performance of a task carried out in
the public interest". In this sense, when collecting data of public interest, it should be
obvious that collecting these data is precisely about the public interest.
The issue of security of personal data processing is stated in Article 32: “Taking into
account the state of the art, the costs of implementation and the nature, scope, context
and purposes of processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the controller and the processor shall implement
appropriate technical and organisational measures to ensure a level of security
appropriate to the risk.” In this part, the regulation enters the information security
systems area, previously regulated by the series of standards ISO/IEC 27000 [67].
It is crucial for Smart Cities developers to consider and pre-organize the way they will
“use” the personal data of citizens. In addition, the kind of information needed for a
Smart City feature to work must be pre-considered. For example, it is obvious that when
an application for monitoring the road load per hour is developed, there is no need for
acquiring personal data of drivers, rather than the cars’ presence – movement on road.
Another interesting point in GDPR is “pseudonymization”. The latter term, mentioned in
Article 4 means that “the processing of personal data in such a manner that the personal
data can no longer be attributed to a specific data subject without the use of additional
information, provided that such additional information is kept separately and is subject
to technical and organizational measures to ensure that the personal data are not
attributed to an identified or identifiable natural person”.
Taking a step further. In Article 89 one can read the following: “Processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes, shall be subject to appropriate safeguards, in accordance with this Regulation,
for the rights and freedoms of the data subject. Those safeguards shall ensure that
technical and organizational measures are in place in order to ensure respect for the
principle of data minimization. Those measures may include pseudonymization provided
that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled
by further processing which does not permit or no longer permits the identification of
data subjects, those purposes shall be fulfilled in that manner”. As a result of the above,
fully anonymous data are treated as personal data, since no natural person can be
identified out of them.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
31
4.3 EU funded projects
The SPEAR (Secure and PrivatE smArt gRid)9 project is a 36-month research program, co-
funded by the Horizon 2020 framework programme of the European Union. It aims at
developing an integrated platform of methods, processes, tools, and supporting tools for:
a) Timely detection of evolved security attacks such as APT, Denial of Service (DoS) and
Distributed DoS (DDoS) attacks using big data analytics, advanced visual-aided anomaly
detection, and embedded smart node trust management.
b) Developing an advanced forensic readiness framework, based on smart honeypot
deployment, which will be able to collect attack traces and prepare the necessary legal
evidence in court, preserving the same time user private information.
c) Implementing an anonymous smart grid channel for mitigating the lack of trust in
exchanging sensitive information about cyber-attack incidents.
d) Performing risk analysis and awareness through cyber hygiene frameworks while
empowering EU-wide consensus by collaborating with European and global security
organizations, standardization bodies, industry groups and smart grid operators.
e) Exploiting the research outcomes to more CIN domains and creating competitive
business models for utilizing the implemented security tools in smart grid operators and
actors across Europe.
EnergyShield (Integrated Cybersecurity Solution for the Vulnerability Assessment,
Monitoring, and Protection of Critical Energy Infrastructures)10 is a 36-month EU H2020
Research and Innovation program of the European Union, funded by the Horizon 2020
framework program and began on the 1st of July 2019. The project addresses the needs
of the operators in the Electrical Power and Energy System (EPES). It combines the latest
technologies for vulnerability assessment, supervision, and protection to draft a defensive
toolkit.
PHOENIX (Electrical Power System’s Shield against complex incidents and extensive cyber
and privacy attacks)11 is a 36-month EU H2020 Research and Innovation program of the
9 Spear2020.eu. 2020. Home Page - SPEAR Project. [online] Available at: <https://www.spear2020.eu/>
[Accessed 2 April 2020].
10 Cordis.europa.eu. 2020. CORDIS | European Commission. [online] Available at:
<https://cordis.europa.eu/project/id/832907> [Accessed 2 April 2020].
11 https://cordis.europa.eu/project/id/832989
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
32
European Union, funded by the Horizon 2020 framework program and began on the 1st of
September 2019. PHOENIX aims to offer a cyber-shield armor to European EPES
infrastructure enabling cooperative detection of large scale, cyber-human security and
privacy incidents and attacks, guarantee the continuity of operations and minimize
cascading effects in the infrastructure itself, the environment, the citizens and the end-
users at reasonable cost.
CONCORDIA (Cybersecurity cOmpeteNce fOr Research anD Innovation)12 is a 36-month EU
H2020 Research and Innovation Action project of the European Union, funded by the
Horizon 2020 framework program and began on the 1st of January 2019. CONCORDIA
addresses the current fragmentation of security competence by networking diverse
competencies into a leadership role via a synergistic agglomeration of a pan-European
Cyber-security Center. The vision of CONCORDIA is to build a strong community
cooperation between all stakeholders, understanding that all stakeholders have their KPIs,
bridging among them, and fostering the development of IT products and solutions along
the whole supply chain. Technologically, it projects a broad and evolvable data-driven
and cognitive E2E Security approach for the ever-complex ever-interconnected
compositions of emergent data-driven cloud, IoT, and edge-assisted ICT ecosystems.
SerIoT (Secure and Safe Internet of Things) 13 is a 36-month EU H2020 Research and
Innovation Action project of the European Union, funded by the Horizon 2020 framework
program and began on the 1st of January 2018. SerIoT aims to provide a useful open &
reference framework for real-time monitoring of the traffic exchanged through
heterogeneous IoT platforms within the IoT network in order to recognize suspicious
patterns, to evaluate them and finally to decide on the detection of a security leak,
privacy threat and abnormal event detection while offering parallel mitigation actions
that are seamlessly exploited in the background.
SCISSOR (Security In trusted SCADA and smart-grids)14 was a 36-month EU H2020 Research
and Innovation Action project of the European Union, funded by the Horizon 2020
framework program and began on the 1st of January 2015. The project aimed to design a
new generation SCADA security monitoring framework.
12 CONCORDIA. 2020. Home : CONCORDIA. [online] Available at: <https://www.concordia-h2020.eu/>
[Accessed 2 April 2020].
13 Seriot-project.eu. 2020. Seriot – Secure And Safe Internet Of Things. [online] Available at:
<https://seriot-project.eu/> [Accessed 20 March 2020].
14 Cordis.europa.eu. 2020. CORDIS | European Commission. [online] Available at:
<https://cordis.europa.eu/project/id/644425> [Accessed 2 April 2020].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
33
WiseGRID (Wide scale demonstration of Integrated Solutions and business models for
European smartGRID)15 is a 42-month EU H2020 Innovation Action project of the European
Union. It is funded by the Horizon 2020 framework program and began on the 1st of
November 2016. WiseGRID integrates, demonstrates, and validates advanced ICT services
and systems in the energy distribution grid in order to provide secure, sustainable, and
flexible smart grids and give more power to the European energy consumer. The project
will combine an enhanced use of storage technologies, a highly increased share of
Renewable Energy Sources (RES) and the integration of charging infrastructure to favor
the large-scale deployment of electric vehicles. It will place citizens at the center of the
transformation of the grid.
P2P-SmarTest (Peer to Peer Smart Energy Distribution Networks)16 was a 36-month EU
H2020 Innovation Action project of the European Union, funded by the Horizon 2020
framework program and began on the 1st of January 2015. The project investigated and
demonstrated a smarter electricity distribution system integrated with advanced ICT,
regional markets, and innovative business models. It employed Peer-to-Peer (P2P)
approaches to ensure the integration of demand-side flexibility and the optimum
operation of DER and other resources within the network while maintaining second-to-
second power balance and the quality and security of the supply.
15 Ece.ntua.gr. 2020. Wisegrid - Wide Scale Demonstration Of Integrated Solutions And Business Models For
European Smartgrid. [online] Available at: <https://www.ece.ntua.gr/en/article/61> [Accessed 4 March
2020].
16 Cordis.europa.eu. 2020. CORDIS | European Commission. [online] Available at:
<https://cordis.europa.eu/project/id/646469> [Accessed 10 March 2020].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
34
5 POCITYF’s approach
In this Section, an initial approach is made in investigating the cyber-security and privacy
issues in the considered Energy Transition Tracks (see Error! Reference source not
found.). By providing possible threats and taking into consideration the current related
knowledge on cyber-security and privacy in Smart Cities, some indications are given on
how POCITYF plans to overcome the mentioned threats. Based on the considered Energy
Transitions Tracks, the categorization regarding the cyber-security and privacy in this
Section will be following:
a. Critical energy infrastructure
b. Smart buildings
c. Transportation
d. Smart citizens’ data
e. Indirect to POCITYF approaches
Figure 5 POCITYF’s Energy Transition Tracks
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
35
5.1 Critical energy infrastructure
When discussing critical energy infrastructure in a Smart City, one mainly refers to the set
of infrastructures that support the city’s electricity smart grid, along with oil and gas
reserve stocks. Regarding electricity smart grids, this infrastructure mostly consists of
computers and sensors and, being the backbone of the ICT-based grid, is responsible for
managing electricity in a sustainable, reliable, and economical manner.
According to the European Commission, the smart grid is “an upgraded electricity network
to which two-way digital communication between supplier and consumer, intelligent
metering and monitoring systems have been added” [68]. The European Union has a high
level of energy security, enabled by oil and gas reserve stocks, and one of the most reliable
electricity grids in the world [69]. The focus here is on challenges regarding the security
of energy supply, notably in the electricity sector.
In POCITYF, the ETT 2 - P2P Energy Management and Storage Solutions for Grid Flexibility
- is the main ETT that considers smart grids. More specifically, the Innovative Solutions
(IS) proposed there are:
- IS-2.1: Flexible and Sustainable Electricity Grid Networks with Innovative Storage
Solutions. This IS’s innovative elements (IE) considered are:
o 2nd life residential batteries
o Micro-grid controller platform
o Control algorithms
o LV and MV-connected storage systems
o P2P energy trading platform
o City Energy Management System
o Powermatcher (DSM platform)
o Stationary batteries
o Virtual Power Plant (VPP)
o V2G
o DC grid
o Fuel cells (hydrogen)
- IS-2.2: Flexible and Sustainable District Heating/Cooling with Innovative Heat
Storage Solutions. This IS’s IEs considered are:
o Freezing storage in store
o Market-oriented building flexibility services
o low temperature
o heat grid
o geothermal
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
36
o low temperature waste heat
o ATES (heat/cold storage)
o HEAT matcher
o thermal grid controller
o Heat Island concept
Threats
Regarding the threats on the smart grids, such as the one in POCITYF’s ETT 2, those are
mainly three: (i) attacks targeting availability, also called denial-of-service (DoS) attacks,
attempt to delay, block or corrupt the communication in the Smart Grid; (ii) attacks
targeting integrity aim at deliberately and illegally modifying or disrupting data exchange
in the Smart Grid; and (iii) attacks targeting confidentiality intend to acquire unauthorized
information from network resources in the Smart Grid. The challenges in POCITYF’s smart
grid(s) have to consider all the ISs mentioned. In this sense, security and privacy schemes
must be a kind of multidisciplinary.
Another threat to be considered is about issues regarding trust in smart grids. Trust can
be described as the confidence that, during some specific interval (a) users can access
data created by the right device at the expected location at the proper time,
communicated using the expected protocol, and (b) the data has not been modified [70].
If some smart grid’s participants are not “trustworthy,” methods of addressing this issue
are required.
In smart grids, developments such as Internet technologies, broadband communication,
and non-deterministic communication environments are employed. As a result, many
security issues may occur. Interestingly, commonly used devices can become a threat to
smart grids. For example, smart meters are desirable targets because vulnerabilities can
easily be monetized. Compromising a meter can immediately manipulate the energy costs
or energy meter readings [71]. Regarding privacy, energy use information stored at the
meter and distributed thereafter acts as an information-rich side channel, exposing
customer habits and behaviors.
POCITYF’s approach
The objectives in POCITYF regarding the cyber-security and the main threats given for its
smart grids are the following [72] and depicted in Figure 6:
Availability: Ensuring timely and reliable access to and use of information is of the most
important in the Smart Grid. This is because a loss of availability is the disruption of access
to or use of information, which may further undermine the power delivery. Integrity:
Guarding against improper information modification or destruction is to ensure
information nonrepudiation and authenticity. A loss of integrity is the unauthorized
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
37
modification or destruction of information and can further induce incorrect decisions
regarding power management.
Confidentiality: Preserving authorized restrictions on information access and disclosure is
mainly to protect personal privacy and proprietary information. This is necessary to
prevent unauthorized disclosure of information that is not open to the public and
individuals.
Figure 6 Three high-level security objectives for the Smart Grid [72]
5.2 Smart buildings
Smart buildings are a crucial part of a smart city for various purposes: improving residents’
comfort, efficient operation of the building’s systems (i.e., elevators, water pipes, gas
pipes), and reduction in energy consumption [73]. In their general case, they consist of:
(i). Sensors for monitoring and submitting messages in case of changes; (ii). Actuators that
perform physical actions; (iii) Controllers to control units and devices based on
programmed rules set by the user; (iv). Central unit that enables programming of units in
the system; (v). Interface for users’ communication with the system; (vi). Network which
allows for the communication between the units; and (vii). Smart meter that offers a two-
way, near or real-time communication between customer and utility company [74].
In POCITYF, the ETT 1 - Innovative Solutions for Positive Energy (CH) Buildings and Districts
- is the main ETT that considers smart buildings. More specifically, the Innovative Solutions
(IS) proposed in ETT 1 are:
- IS-1.1: Positive Energy (stand-alone) Buildings. This IS’s IEs considered are:
o PV glass
o PV canopy
o PV skylight
o Tegosolar PV
o Traditional PV shingle
o Bidirectional smart inverters
o Energy router
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
38
o BMS
o 2nd life
o residential batteries
o HEMS/BEMS
o Positive Computing Data Centre
o Insulation with circular materials
o Triple glazing
o Solar roofs and facades
o Thermo acoustic heat pumps
o Hybrid wind/solar
o generation system (Powernest)
o Li-ion batteries
o Cascaded heat pumps
o Composite façade panels
o PCM in the floor
- IS-1.2: Positive Energy Districts Retrofitting. This IS’s IEs considered are:
o Smart Lamp posts with EV charging and 5G functionalities
o Energy router
o Smart distribution management system
o P2P energy trading platform
o Community Solar Farm (P2P driven: (3)PV plants, (1) public funded ESCO PV)
o DHC (biomass, waste, geothermal)
o ATES (heat/cold storage)
o Li-ion/Li-metal batteries
o DC lighting with EV charging
o Solar roads
o V2G
- IS-1.3: Feeding of PEDs with Waste Streams (heat/materials) promoting Symbiosis
and Circular Economy. This IS’s IEs considered are:
o 2nd life residential batteries
o Pay-As-You-Throw (PAYT)
o Reverse collection of waste
o Circular economy building practices
o ATES (heat/cold storage)
o PCM in the floor
o Waste management tools
Threats
Regarding the cyber-attacks in a smart city’s (smart) buildings, they target the IT
infrastructure supporting the buildings’ smart control systems (e.g., light and motion
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
39
sensors, water heaters and coolers, escalators, gas, and smoke detectors, water leak
detectors, security, etc.). Note that these control systems interconnect with other
systems; thus, further adding to the potential under-attack systems. In a smart building,
the threat is mostly on the building automation systems (e.g., disruption of video
surveillance, electrical distribution, lighting, emergency power, access control, elevators,
fire systems, HVAC, climate control, monitoring, etc.). In recent research [75] by cyber-
security firm Kaspersky17 it is mentioned that in the first half of 2019, 37.8% of computers
controlling smart building automation systems were affected by “malicious cyber-
attacks.” The study was conducted on more than 40,000 buildings that use Kaspersky’s
cyber-security products. It is interesting to mention that the attacks were not specifically
targeted at building automation systems. However, in most cases, the malware was found
on computer systems affecting computers that control the smart building systems. Of the
4 in 10 buildings attacked, 11 percent were attacked by spyware attempting to steal
account credentials. Further discussing anti-viruses, it is interesting to note that not every
device can hold an anti-virus. For example, in the absence of anti-virus, a smart TV can
be attacked by using a “Man In The Middle” during a simple authentication procedure that
only needs an IP address, a MAC address, and a hostname18.
Table 3 Communication Protocols for Smart Buildings
Communication Protocol Description
BACnet [76] Standardized by the American National Standards
Institute (ANSI) and the International Standards
Organization (ISO) (ISO 16484-5) since 2003 for building
automation and control networks. It defines several data
link/physical layers.
KNX [77] Standardized under EN 50090 and ISO/IEC 14543. Open
System Interconnection (OSI)-based network
communications protocol for intelligent buildings.
Factory Instrumentation
Protocol (FIP) [78]
European standard (EN 50170-3) used for the
interconnection of devices in automated systems. It
defines several application/datalink/physical layers.
17 Global Leader in Cybersecurity for Home & Business. (n.d.). Retrieved from
https://www.kaspersky.com/
18 7, O. (n.d.). Smart Buildings At High Risk for Cyber Attacks: Study. Retrieved from
https://www.facilitiesnet.com/buildingautomation/tip/Smart-Buildings-At-High-Risk-for-Cyber-Attacks-
Study--44839
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
40
While various communication protocols have been implemented over the years (see, for
example, those depicted in Table 3), most of them do not take any cyber-security
measures against cyberattacks or intrusions. Hence, strong security measures must be
applied in smart buildings.
Mainstream buildings can be turned into smart by using Building Automation Systems
(BAS), which can both monitor and control the multiple building systems (such as those
mentioned earlier) through a shared network medium. Under BAS, the smart devices
consisting the smart building (e.g., sensors, actuators, etc.) report and provide physical
control through controller devices [15]. On the one hand, the connection of all the devices
together enables for smart building’s operations to be remotely observed over the
Internet. On the other hand, using the Internet along with the interconnection of the
devices result in security treats [79].
Since BAS has access to shared networks, the devices consisting it are exposed to threats
that originally would be faced by traditional IT networks and protocols. For example,
smart buildings can face denial of service threats (e.g., against their access control
system) and even a complete takeover of the smart building may be the threat’s goal in
some cases [80] [81]. Steffen Wendzel surveys the six unresolved problems regarding smart
buildings’ security, in his work “How to increase the security of smart buildings?” [82]:
(i). Internet-based Communications; (ii). Impact of Attacks; (iii). Long-term Software
Deployment; (iv). User-Oriented Software Design; (v). Insecure Network Stacks; and (vi).
Access to Standards, the six steps to be taken towards a more secure system.
POCITYF’s approach
Intel categorizes the types of security products that can be implemented or installed for
POCITYF’s smart buildings by “good, better, and best.” 19 This categorization, along with
the smart building’s part it targets, is depicted in Figure 7.
19 Cdrdv2.intel.com. 2020. [online] Available at: <https://cdrdv2.intel.com/v1/dl/getcontent/334327>
[Accessed 26 April 2020].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
41
Figure 7 Types of security products categorized by good,
better, and best
In terms of specific protocols that can be implemented for POCITYF’s buildings IoT, and
the security provided by each one, a review of the security provided by some of the most
known protocols for IoT is given in the sequel:
MQTT [83]: MQTT is a publish /subscribe messaging protocol developed by IBM. It is an
OASIS20 standard as of 2014. It is lightweight, open, simple, and designed to be easily
20 “Advancing Open Standards for the Information Society.” OASIS, www.oasis-open.org/.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
42
implemented. These characteristics make it ideal for Machine to Machine (M2M)
communications and Internet of Things (IoT) contexts that are the backbone of a smart
building. In its pub/sub messaging pattern, there are at least three entities: a mediator
(usually called a broker), a data publisher, and a data subscriber. The broker is used to
queue and transmit messages between data publishers and data subscribers. Regarding
security, it provides a username/password system for authentication and relies on
Transport Layer Security (TLS) library for data encryption.
MQTT-SN [84]: Message Queuing Telemetry Transport for Sensor Networks (MQTT-SN) is
enhancing MQTT in adapting to the peculiarities of a wireless communication environment
(e.g., low bandwidth, high link failures, short message length, etc.) MQTT-SN does not
require TCP/IP stack. At the same time, it is optimized for the implementation on low-
cost, battery-operated devices with limited processing and storage resources. Regarding
security issues, it inherits the MQTT approach (username/password, TSL).
HTTP/REST [85]: HTTP is the well-known protocol powering the Internet and allows for
sending information back and forth between clients and servers under the
request/response method. HTTP uses TCP packets and is enhanced by the
Representational State Transfer (REST) model in terms of providing a way to organize
interactions between entities. The key characteristic of a RESTful Web service is the
explicit use of HTTP methods (GET, PUT, POST, and DELETE) in a way that follows the
protocol as defined by RFC 2616. REST is also stateless, exposes directory structure-like
URIs and allows the transfer of information using XML and JSON objects. Security of
HTTP/REST relies on TLS for data encryption and OAuth for authorization.
CoAP [86]: Constrained Application Protocol (CoAP) is a request/response protocol, similar
to HTTP/REST. It is mostly differentiated in using UDP instead of TCP. UDP’s datagrams
allow for “running” on top of packet-based technologies (e.g., SMS). Regarding security,
TLS encryption is only available over TCP; thus, CoAP makes use of its UDP counterpart
Datagram Transport Layer Security (DTLS).
AMQP21: AMQP provides a platform-agnostic method for ensuring information is safely
transported between applications, among organizations, within mobile infrastructures,
and across the Cloud. AMQP is used in areas as varied as financial front office trading,
ocean observation, transportation, smart grid, computer-generated animation, and online
gaming. Many operating systems include AMQP implementations, and many application
21 ISO and IEC Approve OASIS AMQP Advanced Message Queuing Protocol. (n.d.). Retrieved April 10, 2020,
from https://www.oasis-open.org/news/pr/iso-and-iec-approve-oasis-amqp-advanced-message-queuing-
protocol
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
43
frameworks are AMQP-aware. There are Cloud-hosted offerings of AMQP, and it is
embedded in virtualization infrastructure. Regarding security, it supports TLS and the
Simple Authentication and Security Layer (SASL).
XMPP [87]: Extensible Messaging and Presence Protocol (XMPP) is an open communications
protocol based on the Extensible Markup Language (XML). XMPP enables for decentralized
instant messaging, presence, multi-party chat, voice, and video calls. While old
(established as IETF standard back in 2004), it is recommended by many researchers for
IoT as a result of XMPP supporting federation. In other words, devices from different
manufacturers and connected to different platforms can communicate with each other
using a standard communications protocol. Regarding security, it can use SASL for
authentication and TLS for encryption. On the other hand, it lacks end-to-end encryption
or quality of service.
5.3 Transportation
As mentioned in the Introduction section of the current, most people live in large cities
today; thus, mobility in those cities can cause several problems, due to traffic congestion,
increased energy consumption and high pollution. For tackling the effects of the above
problems, intelligent transportation systems (ITSs) are employed in smart cities, i.e.,
advanced applications aiming at providing innovative services relating to different modes
of transport and traffic management and enable users to be better informed and make
safer, more coordinated, and 'smarter' use of transport networks. As a result, the ITSs’
services can reduce mobility, optimize trip planning, prevent drivers from exhibiting
malicious behaviors, improve safety, reduce CO2 emissions, provide information regarding
parking places using smartphones, track cars, etc. Hence, vehicular communication is a
critical technology in smart cities.
In POCITYF, the ETT 3 - e-mobility Integration into Smart Grid and City Planning - is the
main ETT that considers ITS. More specifically, the ISs proposed in ETT 3 are:
- IS-3.1: Smart V2G EVs Charging. This IS’s IEs considered are:
o EV charging management platform
o EV charger prototype with PV integration
o Bidirectional smart inverters
o V2G
o Smart Lamp posts with EV charging and 5G functionalities
o Intelligent and optimal control algorithms
o Smart solar charging
o Virtual Power Plant (VPP)
o DC lighting with EV charging
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
44
- IS-3.2: E-mobility Services for Citizens and Auxiliary EV technologies. This IS’s IEs
considered are:
o EV sharing
o Hydrogen powered HD vehicles
o Solar Roads
Threats
As in most ITSs, the main POCITYF’s ITS threats and attacks are related to the following
primary security services [88]: availability, identification and authenticity, confidentiality
and privacy, integrity and data trust and non-repudiation and accountability. In Table 4,
these services are shown, along with most known “attacks” regarding each one and well-
known security solutions regarding them.
Table 4 Well-known ITS threats, attacks, and countermeasures.
ITS
Threats Availability
Identification
and
Authenticity
Confidentiality
and Privacy
Integrity
and Data
Trust
Non-
Repudiation
and
Accountability
ITS
Attacks
Denial of
Sevice
Jamming
Broadcast
Tampering
Greedy
Behaviour
Black Hole
Malware
Spamming
Man in the
Middle
Sybil
Replay
GPS Spoofing
Masquerading
Tunneling
Key/Certification
replication
Eavesdropping
Traffic Analysis
Information
Gathering
Message
Tampering
Message
Suppression
and
alteration
Loss of Event
Traceability
Wormhole
ITS
Security
Solutions
Bit
Commitment
& Signature
Frequency
Hopping
Authentication
& non-
Repudiation
Digital
Certification &
Zero Knowledge
Trusted
Hardware
Central
Validation
Authority
Encryption of
Data and
Positions of
Vehicles
Variable MAC &
IP Addresses
Group Key
Management
Zero
Knowledge
Trusted
Hardware
Authorized
Modifications
Only
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
45
ITS
Threats Availability
Identification
and
Authenticity
Confidentiality
and Privacy
Integrity
and Data
Trust
Non-
Repudiation
and
Accountability
Digital
Signature of
Software &
Sensors
Time Stamping
Bit Commitment
& Signature w.
Positioning
System
Digital Signature
of Software &
Sensors
The involved entities regarding POCITYF’s ITS security can be given as follows [89] [88]:
The drivers: Drivers are the most crucial element of ITS, since they must make vital
decisions and can interact with the driving assistance systems to ensure their safety;
The on-board unit (OBU): OBU refers to both the driver and the vehicle in the literature.
OBUs can be classified into (i) normal OBUs, which operate in a usual way; and (ii)
malicious OBUs, which try to mislead the system;
The roadside unit (RSU): Similarly to OBU, RSUs can be classified into (i) normal RSU
terminals; and (ii) malicious RSU terminals, which try to mislead the system;
Third-party entities: Third-party entities can be trusted or semi-trusted, and are
responsible for managing the security certificates, as well as the diverse secrets/public
key pairs. Examples of such entities include the transportation regulatory agencies and
vehicle manufacturers;
The attackers: Attackers try to violate the security of ITS systems by using several
techniques, as shown in Table 4.
POCITYF’s approach
For achieving a practical deployment of POCITYF’s ITS system, several security
requirements have to be satisfied; thus, ensuring the safety of drivers and the V2V and
V2G security. More specifically, special attention has to be paid in the following challenges
[88]:
Authentication: This is an essential requirement. It refers to (i) user authentication to
prevent Sybil attacks and dismiss malicious entities; (ii) source authentication to ensure
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
46
that legitimate ITS stations generated messages; and (iii) location authentication to
ensure the integrity and relevance of the received information;
Data integrity: ITS entities (e.g., OBUs, RSUs, etc.) should be able to verify and validate
the integrity of the received messages in order to prevent any unauthorized or malicious
modification, manipulation or deletion during transmission;
Privacy and anonymity: The identities of drivers and vehicles should not be easily
identifiable from the exchanged messages, and the right of the driver to control the access
and use of her/his data should be enforced;
Availability: Exchanged information should be processed and made available in real-time,
requiring thus the implementation of low-overhead and lightweight cryptographic
algorithms;
Traceability and revocation: ITS authorities should be able to track malicious ITS entities
that are misusing the ITS system, in order to revoke them promptly. The trust authority
(TA) should be able to trace the vehicle and reveal its identity. Furthermore, in case of a
dispute or when a malicious vehicle is detected, the TA must revoke it and add its identity
to the revocation list;
Authorization: It is necessary to define the access control and authorization for the
different entities. Specific rules should be enforced for accessing or denying specific ITS
entities access and/or use of certain functions or data;
Non-repudiation: Each ITS entity should be uniquely associated with its information and
actions in order to achieve data authenticity and origination;
Robustness against external attacks: ITS entities should be robust against external attacks,
such as availability attacks, and ITS software should be almost free of vulnerabilities (e.g.,
buffer overflow) and logic flaws;
Data confidentiality: Exchanged messages should be encrypted appropriately and
protected in order to prevent the disclosure of sensitive information to malicious nodes
or unauthorized parties.
5.4 Smart citizens’ data
A Smart City consists of many different parts, such as smart grid, smart buildings, etc. In
this sense, POCITYF considers the 3 presented ETTs, covering the most significant parts of
a Smart City. A common characteristic among those parts is their need for storing, using,
and (in some cases) sharing the users’ data. For example, payment methods are
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
47
implemented both in ETT 1 and ETT 2. As a result, citizens’ data security will play an
important role in their engagement with a Smart City’s built.
Taking into consideration that the goal of building a Smart City (or turning a city into a
Smart City) is to become a better-to-live place for its citizens, the latter have to be part
of the equation and play a role in building the Smart City. The transition to positive
buildings, districts, and communities have to be pursued through a close relationship with
citizens. This relationship must encompass a bottom-up approach (from city to solution
providers and local authorities), in which co-creation, co-development, and co-
implementation processes are involved. The aim is to prevent the disconnection that, may
arise from the deployment of non-tailored solutions, agnostic to the culture and history
of the local citizens. However, involving citizens in data collection may raise several issues
concerning privacy, security, misinterpretation, or even abuse.
Large quantities of data are generated from Smart Cities infrastructures and infusing these
data into the physical infrastructure of a city or government may lead to better services
to citizens. On the other hand, collecting and processing of such data may result in privacy
and security issues that should be faced appropriately to create a sustainable approach
for smart cities and governments [90].
In order for the Smart Cities “builders” to engage the citizens in the creation process and
have a close relationship with them, POCITYF proposes many ideas. Digital transformation
in Social Innovation, Gamification platform, Tourist apps, Cultural experiences market
(mobile app), Mobile apps on energy consumption, Value based design, and InnoFest
concept are some of the POCITYF’s proposed ideas.
Next to citizens and networks of citizens, communities involve various other types of
stakeholders. Policymakers and local government managers fulfill a crucial role in the
energy and circular transition of cities and their residential, commercial, and industrial
zones. Regarding POCITYF, they have a unique position, at the beginning of a change
process, like in the implementation of Sustainable Development Goals, to bring the
transition actors together. Within the Quadruple Helix –the industry-government-
knowledge institutes-public relations and actors interact- in a region or city and contribute
to the necessary change process. The Open Innovation for Policy Makers and Managers is
enhanced by two innovative elements, i.e., TIPPING approach and Eco-Acupuncture.
The transition to an interconnected Smart City system can be achieved by enabling the
concept of new solutions on top of the data that will be retrieved and centralized at a
city-level platform. From the vibrant smart city environment, a set of new tools are
needed for laying the ground for the attainment of an economically viable green economy
and more effective citizen engagement. In this sense, POCITYF proposes City Urban
Platform, Wi-fi data acquisition systems, Data lake intelligence for positive communities,
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
48
Smart-cloud for innovative Startups, Citizen Information Platform, Data acquisition
systems, City Data Hub.
In POCITYF, while citizens’ data utility is categorized among the IEs of each IS (e.g.,
citizens’ data are used in both IS3.1’s EV charging management platform and IS1.1’s P2P
energy trading platform), their participation in building the Smart Cities is considered as
a different ETT: ETT 4 - Citizen-Driven Innovation in Co-creating Smart City Solutions.
The ISs proposed in ETT 4 are:
- IS-4.1: Social Innovation Mechanisms towards Citizen Engagement
o Digital transformation in Social Innovation
o Gamification platform
o Tourist apps
o Cultural experiences market (mobile app)
o Mobile apps on energy consumption
o Value based design
o InnoFest concept
- IS-4.2: Open Innovation for Policy Makers and Managers
o TIPPING approach
o Eco-Acupuncture
- IS-4.3: Interoperable, Modular and Interconnected City Ecosystem
o City Urban Platform
o Wi-fi data acquisition systems
o Data lake intelligence for positive communities
o Smart-cloud for innovative Startups
o Citizen Information Platform
o Data acquisition systems
o City Data Hub
Threats
All the above features will generate an enormous amount of data that has to be acquired,
processed, and securely managed. In Figure 4, a holistic view of the data lifecycle is
depicted, including data management, data security and privacy, and network and
computing technologies in smart cities [91]. For securing the data in Smart Cities
platforms in a holistic approach (and not in an element-based approached as in previous
sections of the current), some works have been proposed over the past few years.
One of the first is providing security and privacy in IoT systems, an essential part of smart
city infrastructure and applications. Using sensors and devices with limited computational
power and, at the same time, relying on weak cryptography algorithms, pose serious
threats to data security and integrity. Besides, using sensors to perform basic
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
49
cryptographic operations limits the length of cryptographic keys, which in turn can
jeopardize both the confidentiality and integrity of data [92]. Note that dense deployment
of IoT devices always carries the risk of physical security breaches.
POCITYF’s approach
One tool proposed for the above challenges is the Trusted Platform Module (TPM)
standard22. The TPM (see Figure 9), is a dedicated hardware module for cryptographic
processing operations. It is usually deployed as a co-processor and is used for
cryptographic random number generation, secure boot, attestation, and data sealing. TPM
saves a hash of the desired state of the platform in a secure area, and each time the
system boots, it checks the current state of the system against the desired state hash. If
any changes were detected, it prevents the system from booting. TPM, along with the
BIOS system, create a root-of-trust. Using TPM can significantly increase the systems’
integrity and confidentiality. TPM is a viable solution for devices with hardware that can
support such operations. Network overlays are a viable solution to protect security and
privacy in networks with sensors and devices that have limited or no cryptographic
capabilities. The overlay network provides security and privacy by isolating the network
in question from attackers.
22 ISO. 2020. ISO/IEC 11889-1:2009. [online] Available at: <https://www.iso.org/standard/50970.html>
[Accessed 16 March 2020].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
50
Figure 8 A holistic view of the data lifecycle
Figure 9 Trusted Platform Module (TPM)
Servers play an important role in Smart City’s as all data gathered by sensors are placed
and retained there, the latter threatening users’ privacy. In addition, as most activities
are performed using ICT, users are unable to hide their presence.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
51
For issues like these, Blockchain [93] can be used, also having the potential to address
privacy concerns in smart cities. Blockchain is a peer-to-peer distributed open database
firstly used for keeping track of exchanged cryptocurrency (Bitcoins) [94]. The provided
distributed database can be used to record transactions securely and anonymously.
Because potential attackers have to hack 51% of the network nodes, Blockchain is said to
have non-hackable nature. Blockchain can be used in Smart Cities to establish relations
between service providers and users under contract without any involvement of third-
parties and re-negotiations [91].
Another challenge in Smart Cities data is on securing machine learning vulnerabilities in
adversarial environments (Adversarial Machine Learning field). Intrusion Detection
Systems (IDSs) are based on technology that relies on machine learning systems to save
networks from sophisticated attacks. In order for IDSs to perform efficiently, their
machine learning algorithms are trained on datasets, called adversarial samples. These
samples are past known patterns and attackers’ behaviors. As machine learning algorithms
mature, adversarial attacks also get sophisticated in order to evade detection. Adversaries
know that machine learning algorithms require training, so they often devise targeted
attacks that aim to poison the training data that can render the algorithm useless. In
addition, some adversaries focus on crafting input data that resembles regular input in
order to escape detection.
5.5 Indirect to POCITYF approaches
E-Government
The challenges e-government must overcome lie in privacy, trust, and availability in terms
of security [14]. The security of e-governance emphasizes on data privacy and business
management. At the same time, many European projects have been dedicated to these
goals over the past years. For example, in the final report of the European project STOA,
“Security of eGovernment Systems” [95], 11 security policies were defined: (i) Develop a
policy strategy for improving the security of IT-systems used in Europe; (ii) Stimulate
development and use of security checklists (short-term); (iii) Encourage the development
and use of highly secure components (mid-term); (iv) Encourage the development and use
of highly secure systems (long-term); (v) Create stronger institutional supervision and
oversight of security; (vi) Build a ‘Privacy by Design’ knowledge base; (vii) Substantiate
the data minimization principle by using anonymization techniques in all European
eGovernment systems; (viii) Stimulate technical and legal solutions that avoid or limit
privacy risks caused by re-identification of previously anonymized data; (ix) Make Privacy
Impact Assessments of eGovernment systems mandatory and public; (x) Use gateways to
achieve interoperability of different national eGovernment security tools, but aim at
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
52
Europe-wide availability and usability of tools; and (xi) Ensure open and transparent
evaluations of the trade-offs between privacy, security, usability, interoperability and
costs of an eGovernment system.
Healthcare
Smart Cities’ Healthcare section is mainly supported by e-health, a term that is dated
back to at least 1999 [96]. Through the medical services it offers, e-health (or eHealth)
enables the patients’ data with the ability to be shared among healthcare professionals.
In contrast, tele-monitoring of patients’ health is able through smart devices (e.g.,
smartphones). In addition, patients can be provided with e-prescriptions, instead of the
mainstream handwritten prescriptions. E-health also allows for public dissemination of
medical information about a country’s health situation, which results in a better
management of “health crises” using information systems to measure, monitor, and make
decisions.
In order to enable and improve remote medical monitoring, wireless body area networks
(WBANs) [97] have been developed. WBANs are characterized by their easy deployment,
the mobile nodes they consist, and their self-organization.
In terms of security and privacy, many factors have to be taken into account when dealing
with healthcare data. Unencrypted transmission of healthcare-related data, e.g.,
electrocardiograms (ECG), will have a significant impact on privacy. Commonly used
methods, such as discrete cosine transform (DCT) [98] [99], wavelet transform [100], and
adaptive Fourier decomposition (AFD) algorithms [101] [102], when used for e-health
applications depend on the compression efficiency (i.e., the ratio between the original
signal and the recovered one), reconstruction quality (the difference between the original
signal and the recovered one), and computation complexity [14].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
53
6 Conclusions
Deliverable D11.12 – Cyber Data Security Management Plans – aims to present a framework
to ensure that POCITYF will comply with the privacy and security of sensitive information.
The proposed strategies will facilitate the implementation of a layered data protection
framework allowing the project to collect and manipulate large amounts of data. The
framework will be continuously monitored and assessed to ensure privacy and security
regularly.
As D11.12 heavily depends on the available knowledge about the POCITYF’s Innovative
Elements (IE) in the four Energy Transition Tracks (ETTs), the creation of the deliverable
entails a sequential process, following the knowledge creation process regarding
POCITYF’s IEs that happen in WP1, WP6, and WP7.
The current, 1st version of the deliverable introduces the concept of cyber-security and
privacy in smart cities. Moreover, it provides an overview of the cyber-security and privacy
issues relevant to POCITYF 4 ETTs. This version uses the information for POCITYF’s IEs that
is already available in the DoA.
The 1st version lays the foundations for the identification of the critical cyber-security and
privacy challenges associated with POCITYF 4 ETTs, which will be included in the 2nd
version of the deliverable. This version that will be available in month 24 (included in
D11.9 – Data Management Plan – version 2) will also provide the recommended actions to
address the cyber-security and privacy challenges and to mitigate relevant risks.
The implementation of the cyber-security and privacy recommendations will be
monitored, and the evaluation of the results will provide insights and lessons learned from
the POCITY project. The primary outcome of the final version of the deliverable in month
48 (included in D11.10 – Data Management Plan – version 3) will be a practical set of the
key takeaways for protecting the cyber-security and privacy in smart city initiatives.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
54
7 References
[1] A. Meola, “How smart city technology & the Internet of Things will change our
apartments, grids and communities,” 1 2020. [Online]. Available:
https://www.businessinsider.com/iot-smart-city-technology. [Accessed 3 January
2020].
[2] “World City Populations 2020,” 1 2020. [Online]. Available:
http://worldpopulationreview.com/world-cities/. [Accessed 13 January 2020].
[3] K. Mekki, E. Bajic, F. Chaxel and F. Meyer, “A comparative study of LPWAN
technologies for large-scale IoT deployment,” ICT express, vol. 5, pp. 1-7, 2019.
[4] R. Ratasuk, N. Mangalvedhe and A. Ghosh, “Overview of LTE enhancements for
cellular IoT,” in 2015 IEEE 26th annual international symposium on personal,
indoor, and mobile radio communications (PIMRC), 2015.
[5] “Internet of Things (IoT) connected devices installed base worldwide from 2015 to
2025,” 1 2020. [Online]. Available:
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-
worldwide/. [Accessed 01 February 2020].
[6] “Cybersecurity vs. Data Privacy,” AmTrust Financial, [Online]. Available:
https://amtrustfinancial.com/blog/small-business/cybersecurity-vs-data-privacy.
[Accessed 05 February 2020].
[7] J. Peters, “Data Privacy Guide: Definitions, Explanations and Legislation,” Varonis,
20 January 2020. [Online]. Available: https://www.varonis.com/blog/data-
privacy/. [Accessed 22 January 2020].
[8] A. M. Townsend, Smart cities: Big data, civic hackers, and the quest for a new
utopia, WW Norton & Company, 2013.
[9] L. Van Zoonen, “Privacy concerns in smart cities,” Government Information
Quarterly, vol. 33, pp. 472-480, 2016.
[10] Y. Li, “Theories in online information privacy research: A critical review and an
integrated framework,” Decision support systems, vol. 54, pp. 471-481, 2012.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
55
[11] L. Van Zoonen, What do users want from their future means of identity
management? Final report, 2014.
[12] S. B. Barnes, “A privacy paradox: Social networking in the United States,” First
Monday, vol. 11, 2006.
[13] L. Brandimarte, A. Acquisti and G. Loewenstein, “Misplaced confidences: Privacy
and the control paradox,” Social Psychological and Personality Science, vol. 4, pp.
340-347, 2013.
[14] R. Khatoun and S. Zeadally, “Cybersecurity and privacy solutions in smart cities,”
IEEE Communications Magazine, vol. 55, pp. 51-59, 2017.
[15] Z. A. Baig, P. Szewczyk, C. Valli, P. Rabadia, P. Hannay, M. Chernyshev, M.
Johnstone, P. Kerai, A. Ibrahim, K. Sansurooah and others, “Future challenges for
smart cities: Cyber-security and digital forensics,” Digital Investigation, vol. 22,
pp. 3-13, 2017.
[16] H. He and J. Yan, “Cyber-physical attacks and defences in the smart grid: a
survey,” IET Cyber-Physical Systems: Theory & Applications, vol. 1, pp. 13-27,
2016.
[17] J. Yan, B. Tang and H. He, “Detection of false data attacks in smart grid with
supervised learning,” in 2016 International Joint Conference on Neural Networks
(IJCNN), 2016.
[18] J. Jow, Y. Xiao and W. Han, “A survey of intrusion detection systems in smart grid,”
International Journal of Sensor Networks, vol. 23, pp. 170-186, 2017.
[19] K. C. Ruland, J. Sassmannshausen, K. Waedt and N. Zivic, “Smart grid security--an
overview of standards and guidelines,” e & i Elektrotechnik und
Informationstechnik, vol. 134, pp. 19-25, 2017.
[20] Z. Lu, G. Qu and Z. Liu, “A survey on recent advances in vehicular network security,
trust, and privacy,” IEEE Transactions on Intelligent Transportation Systems, vol.
20, pp. 760-776, 2018.
[21] Z. Li and Q. Liao, “An economic alternative to improve cybersecurity of e-
government and smart cities,” in Proceedings of the 17th international digital
government research conference on digital government research, 2016.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
56
[22] Z. Li and Q. Liao, “Economic solutions to improve cybersecurity of governments
and smart cities via vulnerability markets,” Government Information Quarterly,
vol. 35, pp. 151-160, 2018.
[23] A. T. Chatfield and C. G. Reddick, “A framework for Internet of Things-enabled
smart government: A case of IoT cybersecurity policies and use cases in US federal
government,” Government Information Quarterly, vol. 36, pp. 346-357, 2019.
[24] W. Han and Y. Xiao, “A novel detector to detect colluded non-technical loss frauds
in smart grid,” Computer Networks, vol. 117, pp. 19-31, 2017.
[25] M. Attia, S. M. Senouci, H. Sedjelmaci, E.-H. Aglzim and D. Chrenko, “An efficient
Intrusion Detection System against cyber-physical attacks in the smart grid,”
Computers & Electrical Engineering, vol. 68, pp. 499-512, 2018.
[26] S. P. Nangrani and S. S. Bhat, “Smart grid security assessment using intelligent
technique based on novel chaotic performance index,” Journal of Intelligent &
Fuzzy Systems, vol. 34, pp. 1301-1310, 2018.
[27] C. Tsigkanos, L. Pasquale, C. Ghezzi and B. Nuseibeh, “On the Interplay Between
Cyber and Physical Spaces for Adaptive Security,” IEEE Transactions on Dependable
and Secure Computing, vol. 15, pp. 466-480, 2018.
[28] F. Alrimawi, L. Pasquale and B. Nuseibeh, “On the Automated Management of
Security Incidents in Smart Spaces,” IEEE Access, vol. 7, pp. 111513-111527, 2019.
[29] J. E. Hachem, V. Chiprianov, M. A. Babar, T. A. Khalil and P. Aniorte, “Modeling,
Analyzing and Predicting Security Cascading Attacks in Smart Buildings Systems-of-
Systems,” Journal of Systems and Software, vol. 162, p. 110484, 2020.
[30] H. Kishimoto, N. Yanai and S. Okamura, “Spacis: Secure payment protocol for
charging information over smart grid,” Journal of Information Processing, vol. 25,
pp. 12-21, 2017.
[31] R. Jesus Martins, L. A. D. Knob, E. G. Silva, J. A. Wickboldt, A. Schaeffer-Filho and
L. Z. Granville, “Specialized CSIRT for Incident Response Management in Smart
Grids,” Journal of Network and Systems Management, vol. 27, pp. 269-285, 2019.
[32] S. Huh, S. Cho and S. Kim, “Managing IoT devices using blockchain platform,” in
2017 19th international conference on advanced communication technology
(ICACT), 2017.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
57
[33] A. Dorri, S. S. Kanhere, R. Jurdak and P. Gauravaram, “Blockchain for IoT security
and privacy: The case study of a smart home,” in 2017 IEEE international
conference on pervasive computing and communications workshops (PerCom
workshops), 2017.
[34] K. Biswas and V. Muthukkumarasamy, “Securing smart cities using blockchain
technology,” in 2016 IEEE 18th international conference on high performance
computing and communications; IEEE 14th international conference on smart city;
IEEE 2nd international conference on data science and systems
(HPCC/SmartCity/DSS), 2016.
[35] N. Elisa, L. Yang, F. Chao and Y. Cao, “A framework of blockchain-based secure
and privacy-preserving e-government system,” Wireless Networks, pp. 1-11, 2018.
[36] L. Yang, N. Elisa and N. Eliot, “Privacy and security aspects of E-government in
smart cities,” in Smart cities cybersecurity and privacy, Elsevier, 2019, pp. 89-
102.
[37] M. Mylrea and S. N. G. Gourisetti, “Blockchain for smart grid resilience: Exchanging
distributed energy at speed, scale and security,” in 2017 Resilience Week (RWS),
2017.
[38] A. S. Musleh, G. Yao and S. M. Muyeen, “Blockchain applications in smart grid--
review and frameworks,” IEEE Access, vol. 7, pp. 86746-86757, 2019.
[39] Z. Li, J. Kang, R. Yu, D. Ye, Q. Deng and Y. Zhang, “Consortium blockchain for
secure energy trading in industrial internet of things,” IEEE transactions on
industrial informatics, vol. 14, p. 3690–3700, 2017.
[40] S. Maharjan, Q. Zhu, Y. Zhang, S. Gjessing and T. Basar, “Dependable demand
response management in the smart grid: A Stackelberg game approach,” IEEE
Transactions on Smart Grid, vol. 4, p. 120–132, 2013.
[41] S. Biswas, K. Sharif, F. Li, B. Nour and Y. Wang, “A scalable blockchain framework
for secure transactions in IoT,” IEEE Internet of Things Journal, vol. 6, p. 4650–
4659, 2018.
[42] N. Dong, H. Jonker and J. Pang, “Challenges in ehealth: From enabling to enforcing
privacy,” in International Symposium on Foundations of Health Informatics
Engineering and Systems, 2011.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
58
[43] R. Bhagyoday, C. Kamani, D. Bhojani and V. Parmar, “Comprehensive Study of E-
Health Security in Cloud Computing,” 2019.
[44] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of
the forty-first annual ACM symposium on Theory of computing, 2009.
[45] J. H. Cheon and J. Kim, “A hybrid scheme of public-key encryption and somewhat
homomorphic encryption,” IEEE transactions on information forensics and
security, vol. 10, pp. 1052-1063, 2015.
[46] L. Zhu, C. Zhang, C. Xu, X. Liu and C. Huang, “An efficient and privacy-preserving
biometric identification scheme in cloud computing,” IEEE Access, vol. 6, pp.
19025-19033, 2018.
[47] Biometrics: authentication & identification (definition, trends, use cases, laws
and latest news) - 2020 review.
[48] K. Xue, Y. Xue, J. Hong, W. Li, H. Yue, D. S. L. Wei and P. Hong, “RAAC: Robust
and auditable access control with multiple attribute authorities for public cloud
storage,” IEEE Transactions on Information Forensics and Security, vol. 12, pp.
953-967, 2017.
[49] P.-W. Chi and C.-L. Lei, “Audit-free cloud Storage via deniable attribute-based
encryption,” IEEE Transactions on Cloud Computing, vol. 6, pp. 414-427, 2015.
[50] B. Waters, “Ciphertext-policy attribute-based encryption: An expressive, efficient,
and provably secure realization,” in International Workshop on Public Key
Cryptography, 2011.
[51] C. Huang, K. Yan, S. Wei, G. Zhang and D. H. Lee, “Efficient anonymous attribute-
based encryption with access policy hidden for cloud computing,” in 2017
International Conference on Progress in Informatics and Computing (PIC), 2017.
[52] W. Li, B. M. Liu, D. Liu, R. P. Liu, P. Wang, S. Luo and W. Ni, “Unified fine-grained
access control for personal health records in cloud computing,” IEEE journal of
biomedical and health informatics, vol. 23, pp. 1278-1289, 2018.
[53] C. Zhang, L. Zhu, C. Xu and R. Lu, “PPDP: An efficient and privacy-preserving
disease prediction scheme in cloud-based e-Healthcare system,” Future
Generation Computer Systems, vol. 79, pp. 16-25, 2018.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
59
[54] J. Kim and Y. Kim, “Benefits of cloud computing adoption for smart grid security
from security perspective,” The Journal of Supercomputing, vol. 72, pp. 3522-
3534, 2016.
[55] K. Gai, L. Qiu, M. Chen, H. Zhao and M. Qiu, “SA-EAST: Security-Aware Efficient
Data Transmission for ITS in Mobile Heterogeneous Cloud Computing,” ACM
Transactions in Embedded Computing Systems, vol. 16, p. 60, 2017.
[56] H.-T. Wu and G.-J. Horng, “Establishing an intelligent transportation system with
a network security mechanism in an Internet of vehicle environment,” IEEE Access,
vol. 5, pp. 19239-19247, 2017.
[57] M. Shen, X. Tang, L. Zhu, X. Du and M. Guizani, “Privacy-preserving support vector
machine training over blockchain-based encrypted IoT data in smart cities,” IEEE
Internet of Things Journal, vol. 6, pp. 7702-7712, 2019.
[58] H. S. M. Lim and A. Taeihagh, “Autonomous vehicles for smart and sustainable
cities: An in-depth exploration of privacy and cybersecurity implications,”
Energies, vol. 11, p. 1062, 2018.
[59] A. Rahim, X. Kong, F. Xia, Z. Ning, N. Ullah, J. Wang and S. K. Das, “Vehicular
social networks: A survey,” Pervasive and Mobile Computing, vol. 43, pp. 96-113,
2018.
[60] R. Yu, J. Kang, X. Huang, S. Xie, Y. Zhang and S. Gjessing, “MixGroup:
Accumulative pseudonym exchanging for location privacy enhancement in
vehicular social networks,” IEEE Transactions on Dependable and Secure
Computing, vol. 13, pp. 93-105, 2015.
[61] H. Wang, G. Han, C. Zhu, S. Chan and W. Zhang, “TCSLP: A trace cost based source
location privacy protection scheme in WSNs for smart cities,” Future Generation
Computer Systems, 2017.
[62] A. Alabdulatif, I. Khalil, H. Kumarage, A. Y. Zomaya and X. Yi, “Privacy-preserving
anomaly detection in the cloud for quality assured decision-making in smart
cities,” Journal of Parallel and Distributed Computing, vol. 127, pp. 209-223,
2019.
[63] M. Alamaniotis, N. Bourbakis and L. H. Tsoukalas, “Enhancing privacy of electricity
consumption in smart cities through morphing of anticipated demand pattern
utilizing self-elasticity and genetic algorithms,” Sustainable Cities and Society,
vol. 46, p. 101426, 2019.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
60
[64] W. Han and Y. Xiao, “IP2DM: integrated privacy-preserving data management
architecture for smart grid V2G networks,” Wireless Communications and Mobile
Computing, vol. 16, pp. 2956-2974, 2016.
[65] ERTICO Team, [Online]. Available: https://ertico.com/. [Accessed 1 March 2020].
[66] G. Vojkovic, “Will the GDPR slow down development of Smart Cities?,” in 2018 41st
International Convention on Information and Communication Technology,
Electronics and Microelectronics (MIPRO), 2018.
[67] B. Lewis, “ISO/IEC 27000 – KEY INTERNATIONAL STANDARD FOR INFORMATION
SECURITY REVISED,” 1 March 2018. [Online]. Available:
https://www.iso.org/news/ref2266.html. [Accessed 2 March 2020].
[68] I. Union, “Communication from the Commission to the European Parliament, the
Council, the European Economic and Social Committee and the Committee of the
Regions,” A new skills agenda for europe. Brussels, 2014.
[69] G. Erbach and J. O'Shea, “Cybersecurity of critical energy infrastructure,” 2019.
[70] H. Khurana, M. Hadley, N. Lu and D. A. Frincke, “Smart-grid security issues,” IEEE
Security & Privacy, vol. 8, p. 81–85, 2010.
[71] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,”
IEEE Security & Privacy, vol. 7, p. 75–77, 2009.
[72] W. Wang and Z. Lu, “Cyber security in the smart grid: Survey and challenges,”
Computer networks, vol. 57, p. 1344–1371, 2013.
[73] R. Khatoun and S. Zeadally, “Smart cities: concepts, architectures, research
opportunities,” Communications of the ACM, vol. 59, pp. 46-57, 2016.
[74] B. Morvaj, L. Lugaric and S. Krajcar, “Demonstrating smart buildings and smart
grid features in a smart energy city,” in Proceedings of the 2011 3rd international
youth conference on energetics (IYCE), 2011.
[75] G. Zimmerman, “Smart Buildings At High Risk for Cyber Attacks: Study,” 2019.
[76] “BACnet,” [Online]. Available: http://www.bacnet.org/. [Accessed 3 March 2020].
[77] [Online]. Available: https://www.knx.org/knx-en/for-professionals/index.php.
[Accessed 12 February 2010].
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
61
[78] F. Hanssen and P. G. Jansen, Real-time communication protocols: an overview,
Centre for Telematics and Information Technology, University of Twente, 2003.
[79] M. Peacock and M. N. Johnstone, “An analysis of security issues in building
automation systems,” 2014.
[80] A. Antonini, A. Barenghi, G. Pelosi and S. Zonouz, “Security challenges in building
automation and SCADA,” in 2014 International Carnahan Conference on Security
Technology (ICCST), 2014.
[81] T. Mundt and P. Wickboldt, “Security in building automation systems-a first
analysis,” in 2016 International Conference On Cyber Security And Protection Of
Digital Services (Cyber Security), 2016.
[82] S. Wendzel, “How to increase the security of smart buildings,” Communications of
The ACM, vol. 59, pp. 47-49, 2016.
[83] S. A. Shinde, P. A. Nimkar, S. P. Singh, V. D. Salpe and Y. R. Jadhav, “MQTT-
message queuing telemetry transport protocol,” International Journal of
Research, vol. 3, p. 240–244, 2016.
[84] A. Stanford-Clark and H. L. Truong, “Mqtt for sensor networks (mqtt-sn) protocol
specification,” International business machines (IBM) Corporation version, vol. 1,
p. 2, 2013.
[85] R. Fielding, “Representational state transfer,” Architectural Styles and the Design
of Netowork-based Software Architecture, p. 76–85, 2000.
[86] Z. Shelby, K. Hartke and C. Bormann, “The constrained application protocol
(CoAP),” 2014.
[87] P. Saint-Andre and others, “Extensible messaging and presence protocol (XMPP):
Core,” 2004.
[88] E. B. Hamida, H. Noura and W. Znaidi, “Security of cooperative intelligent
transport systems: Standards, threats analysis and cryptographic
countermeasures,” Electronics, vol. 4, p. 380–423, 2015.
[89] M. N. Mejri, J. Ben-Othman and M. Hamdi, “Survey on VANET security challenges
and possible cryptographic solutions,” Vehicular Communications, vol. 1, p. 53–66,
2014.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
62
[90] S. Choenni, M. S. Bargh, C. Roepan and R. F. Meijer, “Privacy and Security in Smart
Data Collection by Citizens,” in Public Administration and Information Technology,
Springer International Publishing, 2015, p. 349–366.
[91] A. Gharaibeh, M. A. Salahuddin, S. J. Hussini, A. Khreishah, I. Khalil, M. Guizani
and A. Al-Fuqaha, “Smart Cities: A Survey on Data Management, Security, and
Enabling Technologies,” IEEE Communications Surveys & Tutorials, vol. 19, p.
2456–2501, 2017.
[92] S. Ma, Y. Zheng and O. Wolfson, “Real-time city-scale taxi ridesharing,” IEEE
Transactions on Knowledge and Data Engineering, vol. 27, p. 1782–1795, 2014.
[93] M. Swan, Blockchain: Blueprint for a new economy, " O'Reilly Media, Inc.", 2015.
[94] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2019.
[95] A. Jacobi, L. M. Jensen, L. Kool, G. Munnichs and A. Weber, “Security of
eGovernment Systems - Final Report,” STOA, July 2013. [Online]. Available:
http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/513510/IPO
L-JOIN_ET(2013)513510_EN.pdf. [Accessed 02 February 2020].
[96] V. Della Mea, “What is e-Health (2): The death of telemedicine?,” Journal of
medical Internet research, vol. 3, p. e22, 2001.
[97] J. Y. Khan and M. R. Yuce, “Wireless body area network (WBAN) for medical
applications,” in New developments in biomedical engineering, InTechOpen, 2010.
[98] N. Ahmed, T. Natarajan and K. R. Rao, “Discrete cosine transform,” IEEE
transactions on Computers, vol. 100, pp. 90-93, 1974.
[99] K. R. Rao and P. Yip, Discrete cosine transform: algorithms, advantages,
applications, Academic press, 2014.
[100] C. E. Heil and D. F. Walnut, “Continuous and discrete wavelet transforms,” SIAM
review, vol. 31, pp. 628-666, 1989.
[101] T. Qian, L. Zhang and Z. Li, “Algorithm of adaptive Fourier decomposition,” IEEE
Transactions on Signal Processing, vol. 59, pp. 5899-5906, 2011.
[102] J. Ma, T. Zhang and M. Dong, “A novel ECG data compression method using
adaptive fourier decomposition with security guarantee in e-health applications,”
IEEE journal of biomedical and health informatics, vol. 19, pp. 986-994, 2014.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
63
[103] M. Vitunskaite, Y. He, T. Brandstetter and H. Janicke, “Smart cities and cyber
security: Are we there yet? A comparative study on the role of standards, third
party risk management and security ownership,” Computers & Security, vol. 83,
pp. 313-331, 2019.
[104] H. Zhang, Z. Tang and K. Jayakar, “A socio-technical analysis of China's
cybersecurity policy: Towards delivering trusted e-government services,”
Telecommunications Policy, vol. 42, pp. 409-420, 2018.
[105] T. Braun, B. C. M. Fung, F. Iqbal and B. Shah, “Security and privacy challenges in
smart cities,” Sustainable Cities and Society, vol. 39, pp. 499-507, 2018.
[106] R. Kazhamiakin, A. Marconi, A. Martinelli, M. Pistore and G. Valetto, “A
gamification framework for the long-term engagement of smart citizens,” in 2016
IEEE International Smart Cities Conference (ISC2), 2016.
[107] J.-P. Hubaux, S. Capkun and J. Luo, “The security and privacy of smart vehicles,”
IEEE Security & Privacy, vol. 2, p. 49–55, 2004.
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
64
8 ANNEX I - Standards related to IoT and Smart Cities
Standards related to IoT and smart cities [103]
Table 5 Standards related to IoT and smart cities
No. Document ID Title Body
1. ANSI/ASQ E 4 Specifications and guidelines for quality systems for
environmental data collection and
environmental technology programs
ANSI
2. BS EN 14908-5:2009 Open data communication in building automation,
controls and building management
implementation guideline - Control network protocol -
Implementation
CEN
3. BS EN 60730-1:1992 Specification for automatic electrical controls for
household and similar use - General
requirements
CEN
4. BS ISO 14813-1:2007 Intelligent transport systems - Reference model
architecture(s) for the ITS sector - ITS service domains,
service groups and services
ISO
5. CR 205-006:1996 en Home and building electronics system (HBES) - Technical
report 6: Protocol and data integrity and interfaces
NEN
6. CSN ISO/IEC TR
15067-3
Information technology - Home electronic system (HES)
application model - Part 3: Model of an energy
management system for HES
ISO/IEC
7. CWA 14947:2004 en European eConstruction architecture (EeA) CEN
8. CWA 15264-3:2005 User requirements for a European interoperable eID
system within a smart card infrastructure
CEN
9. DD CEN/TS
13149-6:2005
Public transport - Road vehicle scheduling and control
systems - CAN message content
CEN
10. DIN SPEC 33440 Ergonomic design of user-interfaces and products for
smart grid and electromobility
DIN
11. DS/EN 61970-1 Energy management system application program
interface (EMS-API) - Part 1:
IEC
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
65
No. Document ID Title Body
Guidelines and general requirements
12. EIA TSB 4940 Smart device communications - Security aspects EIA
13. ETSI GS OSG 001 V
1.1.1
Open smart grid protocol (OSGP) ETSI
14. ETSI TR 102935 V
2.1.1
Machine-to-Machine communications (M2M) -
Applicability of M2M architecture to smart grid networks
- Impact of smart grids on M2M platform
ETSI
15. GOST R 55060 Automatized control systems of buildings and structures.
Terms and definitions
GOST R
16. IEC 62290-1 Railway applications - Urban guided transport
management and command/control systems Part 1:
System principles and fundamental concepts
IEC
17. IEEE 1851 IEEE standard for design criteria of integrated sensor-
based test applications for household appliances
IEEE
18. ISO 15118-1 Road vehicles - Vehicle to grid communication interface -
Part 1: General information and use-case definition
ISO
19. ISO 16484-5 Building automation and control systems - Part 5: Data
communication protocol
ISO
20. ISO/PAS 22720 Association for standardization of automation and
measuring systems open data services 5.0
ISO
21. ISO/TS 24533 Intelligent transport systems - Electronic information
exchange to facilitate the movement of freight and its
intermodal transfer - Road transport information
exchange methodology
ISO
22. ITU-T X.207 Information technology - Open systems interconnection -
Application layer structure
ITU
23. NEMA SG-AMI 1 Requirements for smart meter upgradeability NEMA
24. NEN 7512:2005 nl Health informatics - Information security in the
healthcare sector - Basis for trust for exchange of data
NEN
25. NEN-EN-ISO
24534-3:2013
Intelligent transport systems - Automatic vehicle and
equipment identification -
Electronic registration identification (ERI) for vehicles -
Part 3: Vehicle data
CEN
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
66
No. Document ID Title Body
26. NPR-CEN/TR
16427:2013 en
Intelligent transport systems - Public transport - Traveller
information for visually impaired people (TI-VIP)
CEN
27. OEVE B/EN
60555-1/1987
Disturbances in supply systems caused by household
appliances and similar electrical equipment - Part 1:
Definitions
OVE
28. PAS 1018 Essential structure for the description of services in the
procurement stage
DIN
29. PAS 1090 Demands on information systems for collecting,
communicating and serving of relevant service
information within the technical customer service
DIN
30. PAS 555:2013 Cyber security risk - Governance and management -
Specification
BSI
31. SS-ISO 15784-1:2008 Intellligent transport systems (ITS) - Data exchange
involving roadside modules communication - Part 1:
General principles and documentation framework of
application profiles (ISO 15784-1:2008, IDT)
ISO
32. UTE C15-900U ∗UTE
C15-900
Coexistence between communication and power
networks - Implementation of communication networks
UTE
33. VDI 3814 Blatt 7 Building automation and control systems (BACS) - Design
of user interfaces
VDI
34. VDI 4201 Blatt 1 Performance criteria on automated measuring and
electronic data evaluation systems for monitoring
emissions - Digital interface - General requirements
VDI/DIN
35. BS ISO 20121 Event sustainability management systems - Requirements
with guidance for use
ISO
36. ASTM E 1121 Standard practice for measuring payback for investments
in buildings and building systems
ASTM
37. BIP 2207 Building information management - A standard
framework and guide to BS 1192
BSI
38. BS 8587:2012 Guide to facility information management BSI
39. BS 8903:2010 Principles and framework for procuring sustainably -
Guide
BSI
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
67
No. Document ID Title Body
40. CAN/CSA-ISO/TS
14048:03 (R2012)
Environmental management - Life cycle assessment -
Data documentation format
CSA
41. CWA 15666:2007 en Business requirement specification - Cross industry e-
Tendering process
CEN
42. CWA 15971-1 Discovery of and access to eGovernment resources - Part
1: Introduction and overview
CEN
43. CWA 16649:2013 en Managing emerging technology-related risks CEN
44. CWA 50487:2005 en SmartHouse Code of Practice CEN
45. DS/ISO/IEC 18012-2 Information technology - Home electronic system -
Guidelines for product interoperability - Part 2:
Taxonomy and application interoperability model
ISO/IEC
46. ISO 16484-1 Building automation and control systems (BACS) - Part 1:
Project specification and implementation
ISO
47. ITU-T L.1410 Methodology for the assessment of the environmental
impact of information and communication technology
goods, networks and services
ITU
48. NEN-ISO
29481-2:2012 en
Building information models - Information delivery
manual - Part 2: Interaction framework
ISO
49. NPR-ISO/TR
12859:2009 en
Intelligent transport systems - System architecture -
Privacy aspects in ITS standards and systems
ISO/TR
50. RAL-UZ 170 Basic criteria for award of the environmental label -
Energy services provided under guaranteed energy
savings contracts
RAL Güte
51. SS-ISO/IEC
27005:2013
Information technology - Security techniques -
Information security risk management
ISO/IEC
52. VDI 3814 Blatt 5 Building automation and control system (BACS) - Advices
for system integration
VDI
53. VDI 4466 Blatt 1 Automatic parking systems - Basic principles VDI
54. VDI 7000 Early public participation in industrial and infrastructure
projects
VDI
55. VDI/GEFMA 3814
Blatt 3.1
Building automation and control systems (BACS) -
Guidance for technical building management - Planning,
GEFMA
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
68
No. Document ID Title Body
operation, and maintenance - Interface to facility
management
56. BS ISO 37120 Sustainable development and resilience of communities -
Indicators for city services and quality of life
ISO
57. BS ISO/TR 37150 Smart community infrastructures - Review of existing
activities relevant to metrics
ISO
58. ABNT NBR 14022 Accessibility in vehicles of urban characteristics for
public transport of passengers
ABNT
59. BIP 2228:2013 Inclusive urban design - A guide to creating accessible
public spaces
BSI
60. BS 7000-6:2005 Design management systems - Managing inclusive design -
Guide
BSI
61. BS 8904:2011 Guidance for community sustainable development BSI
62. CLC/FprTR 50608 Smart grid projects in Europe CENELEC
63. CWA 15245 EU e-Government metadata framework CEN
64. CWA 16030:2009 Code of practice for implementing quality in mobility
management in small and medium sized cities
CEN
65. CWA 16267:2011 Guidelines for sustainable development of historic and
cultural cities - Qualicities
CEN
66. DIN SPEC 91280 Ambient assisted living (AAL) - Classification of ambient
assistant living services in the home environment and
immediate vicinity of the home
DIN
67. GOST R 54198 Resources saving - Industrial production - Guidance on
the application of the best available technologies for
increasing the energy efficiency
GOST R
68. PAS 181:2014 Smart city framework - Guide to establishing strategies
for smart cities and communities
BSI
69. UNI 10951:2001 Systems of information for the maintenance management
of buildings - Guidelines
UNI
70. Z762-95 (R2011) Design for the environment (DFE) CSA
71. IEEE 1363 series Standards define specifications for public key
cryptography
IEEE
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
69
No. Document ID Title Body
72. IEEE 1619 series Standards define specifications for encryption in storage
media
IEEE
73. IEEE P24151-1-4 Standard for Smart Transducer Interface for Sensors,
Actuators and Devices - eXtensible Messaging and
Presence Protocol (XMPP) - currently being developed,
specifically addresses security
IEEE
74. IEEE
1451/21450/21451
Series of standards for sensors and actuators IEEE
75. IEEE 2410-2015 IEEE standard for Biometric Open Protocol IEEE
76. IEEE P1912 Standard for Privacy and Security Architecture for
Consumer Wireless Devices - currently being developed
IEEE
77. IEEE 802.1X-2020 IEEE Standard for Local and metropolitan area networks-
Port-Based Network Access
Control
IEEE
78. IEEE 802.1AE-2006 IEEE Standard for Local and Metropolitan Area Networks:
Media Access Control (MAC) Security; Security
capabilities expanded by IEEE 802.1AEbw-2013.
IEEE
79. IEEE 802.1AR-2009 Standard for Local and metropolitan area networks -
Secure Device Identity
IEEE
80. IEEE 11-2012 series IEEE Standard for Information technology-
Telecommunications and information exchange between
systems Local and metropolitan area networks-Specific
requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications
IEEE
81. IEEE 802.15.4-2015 IEEE Standard for Local and metropolitan area networks-
Part 15.4: Low-Rate Wireless
Personal Area Networks (LR-WPANs)
IEEE
82. IEEE 802.21a-2012 IEEE Standard for Local and Metropolitan Area Networks:
Media Independent Handover
Services - Amendment for Security Extensions to Media
Independent Handover
Services and Protocol
IEEE
83. IEEE 1888 series IEEE Standard for Ubiquitous Green Community Control
Network Protocol and its security
IEEE
D11.12: Cyber Data Security Management Plans
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement N° 864400.
70
No. Document ID Title Body
84. IEEE 692-2013 IEEE Standard for Criteria for Security Systems for
Nuclear Power Generating Stations
IEEE
85. IEEE C37.240-2014 IEEE Standard Cyber-security Requirements for Substation
Automation, Protection, and
Control Systems
IEEE
86. IEEE 1686-2013 IEEE Standard for Intelligent Electronic Devices Cyber
Security Capabilities
IEEE
87. PAS 180 Smart city terminology BSI
88. PAS 182 Data concept model for smart cities BSI
89. PAS 184 Project proposals for delivering smart city BSI
90. PD 8100 Smart city overview document BSI
91. PD8101 Smart city planning guidelines document BSI
92. BS
ISO/IEC30182:2017
Smart city concept model BSI
93. PD ISO/TR
37121:2017
Standard on inventory of existing guidelines and
approaches on sustainable development and resilience in
cities
BSI
Recommended